I work in computer security, so I know this sounds crazy. But my brain has been rewired to work in failure modes by the not-security domain I happen to do security stuff in.
The obvious argument for TFA is to reduce the chances that my Facebook account is subject to the bad consequences of that come from a compromised Facebook account.
I'd much rather they reduce or eliminate the severity of the failure effect in the first place. TFA is only a mitigation that reduces the likelihood of account compromise. It shouldn't be possible for someone who swipes my yubikey to do any more than cause a minor social annoyance.
Unfortunately the presence of the mitigation (TFA) will - if adopted to significant numbers - combine with Facebook's other incentives to produce more severe failure effects for account compromise.
Remember back when facebook was still in it's just-college phase? And dicking around on your friend's facebook account if the left their computer unlocked was normal? And when you saw someone acting unusual, you sorta assumed someone was messing with their account? Yeah, I don't want a compromise of my facebook account to ever be more severe than it was back then.
That said, I understand the lack of support since I am an extremely small niche, and this did prompt me to finally add 2FA to facebook (U2F and code generation from my Yubikey Neo)
[1] https://addons.mozilla.org/en-US/firefox/addon/u2f-support-a...
For U2F, they have to write code to interact with the operating system USB API (for each operating system), plus the main U2F code, plus a Javascript API, all while taking care to not cause any new privacy leaks or worse.
If you want to follow, the main bugzilla item seems to be this one: https://bugzilla.mozilla.org/showdependencytree.cgi?id=10657...
The tree of bugs to follow is rooted at https://bugzilla.mozilla.org/show_bug.cgi?id=1065729
When your users don't really care, your priorities shift down.
Another U2F hardware key is the Trezor bitcoin hardware wallet ( https://blog.trezor.io/secure-two-factor-authentication-with... ) which has the added benefit that you can backup all your U2F private keys. I'm not aware of how you could do this with a Yubico U2F key -- if someone knows, please enlighten me.
https://sc4.us/hsm/index.html
(Full disclosure: this is my company.)
That's a big flaw to me. It should only send the SMS if I specifically say, "Use my backup SMS method". I switched to use an authenticator app instead as a result.
"Security keys for Facebook logins currently only work with certain web browsers and mobile devices, so we'll ask you to also register an additional login approval method, such as your mobile phone or Code Generator"
So as usual, the U2F standard being adopted by companies these days is only as strong as SMS 2FA, because of this requirement.
Can someone tell me what's the point then? Is it that they hope that in the end U2F will get popular enough that they'll remove that requirement? I would hope that's it. Otherwise, I don't see the point.
I wish they at least allowed you to opt-out of the SMS back-up before you even had to give them your number. Of course, we're talking about Facebook here, so they won't waste any opportunity to make it seem like you have no choice but to give them your phone number.
A requirement to have one backup, which doesn't have to be SMS. It appears to allow a manually pregenerated list of codes, for example. See the ui: https://scontent-dft4-1.xx.fbcdn.net/v/t31.0-8/p720x720/1617...
