Secure Your Facebook…with an Actual Key?

34
People ask all the time what they can do to make their online accounts more secure. Like most security professionals, I recommend setting up two-factor authentication (login approvals). That means when you log into Facebook from a new phone or browser, you’ll enter a special security code from your phone in addition to your password. That way, it’s much harder for someone else to access your account, even if they have your password.
Now we are taking that account protection a step further with Security Key. Most people get their security code for login approvals from a text message (SMS) or by using the Facebook app to generate the code directly on their phone. These options work pretty well for most people and in most circumstances, but SMS isn’t always reliable and having a phone back-up available may not work well for everyone.
Starting today, you can register a physical security key to your account so that the next time you log in after enabling login approvals, you’ll simply tap a small hardware device that goes in the USB drive of your computer. Security keys can be purchased through companies like Yubico, and the keys support the open Universal 2nd Factor (U2F) standard hosted by the FIDO Alliance.

Add security keys to your account from the Facebook Security Settings page.
Using security keys for two-factor authentication provides a number of important benefits:
  • Phishing protection: Your login is practically immune to phishing because you don’t have to enter a code yourself and the hardware provides cryptographic proof that it’s in your machine.
  • Interoperable: Security keys that support U2F don’t just work for Facebook accounts. You can use the same key for any supported online account (e.g. Google, Dropbox, GitHub, Salesforce), and those accounts can stay safe because the key doesn’t retain any records of where it is used.
  • Fast login: If you use a security key with your desktop computer, logging in is as simple as a tap on the key after your enter your password.
Security keys for Facebook logins currently only work with certain web browsers and mobile devices, so we’ll ask you to also register an additional login approval method, such as your mobile phone or Code Generator.To add a security key from your computer, you’ll need to be using the latest version of Chrome or Opera. At this time we don’t support security key logins for our mobile Facebook app, but if you have an NFC-capable Android device with the latest version of Chrome and Google Authenticator installed, you can use an NFC-capable key to log in from our mobile website.

Mobile login using security key on an NFC-capable Android phone with Chrome and Google Authenticator.
We’re excited to offer this additional option for logging into your Facebook account securely, and we’re grateful to Yubico for the support and feedback they’ve provided. You can read more about setting up your security key here.
Brad Hill is a Security Engineer at Facebook.