Facebook strengthens security with Fido-compliant authentication

Facebook security key
SOCIAL SECURITY: Users can log in by tapping or inserting a U2F compliant NFC key

Social media giant Facebook has added the Fido Alliance’s Universal Second Factor (U2F) specification to its platform to strengthen its range of two-factor authentication methods which have previously been offered through an SMS service or by a code generation feature inside the Facebook mobile app.

The addition of the Security Keys standard enables users to login to their accounts by tapping a physical U2F compliant NFC security key against their compatible mobile phone or by inserting the device into the USB drive of their computer.

The U2F specification has been designed to enable internet users to securely access “any number of online services” with one single device, and is already supported by companies including Google, GitHub, Dropbox and Salesforce.

“This experience allows online services to augment the security of their existing password infrastructure by adding a strong second factor to user login,” says the Fido Alliance. “During registration and authentication, the user presents the second factor by simply pressing a button on a USB device or tapping over NFC.

“The user can use their Fido U2F device across all online services that support the protocol leveraging built-in support in web browsers.”

Physical key

Until now, Facebook has been enabling two-factor authentication through SMS or by a code generation service through the Facebook mobile app. “These options work pretty well for most people and in most circumstances,” the company says, “but SMS isn’t always reliable and having a phone backup available may not work well for everyone.

“Starting today, you can register a physical security key to your account so that the next time you log in after enabling login approvals, you’ll simply tap a small hardware device that goes in the USB drive of your computer. If you own a U2F compatible security key and turn on login approvals, you can use it when logging into your Facebook account from a new computer or mobile device.

“Security keys for Facebook logins currently only work with certain web browsers and mobile devices, so we’ll ask you to also register an additional login approval method, such as your mobile phone or Code Generator.

“You’ll need to be using the latest version of Chrome or Opera. At this time, we don’t support security key logins for mobile Facebook app, but if you have an NFC-capable Android device with the latest version of Chrome and Google Authenticator installed, you can use an NFC-capable key to login from our mobile website.”

The Fido Alliance added NFC and Bluetooth Low Energy (BLE) support to U2F in July 2015 to extend its security protocol to devices without a USB port.