Facebook upgrades security for 1.79bn users to make them 'unphishable'

News by Tom Reeve

Facebook makes accounts 'unphishable' with adoption of the FIDO universal two-factor authentication, a physical key that fits into the USB port of your computer.

Facebook has upgraded the security on its login interface for its 1.79 billion users by adding FIDO universal two-factor authentication.

Integrating U2F into the social platform means that users who wish to use two-factor authentication (2FA) no longer have to rely on a phone for the code.

By installing a security key, such as the YubiKey, in the USB port of their computer, users can provide second-factor authentication with a simple tap on the key.

2FA has becoming increasingly important as a defence against credential theft, including phishing and spoofing attacks.

The UK government became the first in the world to adopt FIDO in March 2016 when it adopted it to protect the gov.uk Verify service.

FIDO explains that users' logins are nearly immune to phishing because they don't need to enter a code and the USB key provides cryptographic proof that it's in your machine.

U2F has been adopted by a range of sites now including Google, Dropbox, Github and Salesforce. It was developed by Google and Yubico, which offers keys for sale, but it is an open standard and is hosted by the Fast Identity Online (FIDO) Alliance.

One key can be used across multiple sites, and as the key doesn't store data on the sites it visits, it is not a security risk in itself.

If a hacker attempts to log into a protected account, they will be blocked unless they have the password and the physical key.

An internal Google study concluded that U2F is one of the most secure, easy to use and cost-efficient authentication technologies available.

Facebook security engineer Brad Hill wrote in a blog today that the new feature only works with the Chrome and Opera browsers and doesn't support security key logins for the mobile Facebook app, but it is possible – with an NFC Android phone and the latest versions of Chrome and Google Authenticator installed – to log in through the mobile website.

The adoption of U2F by Facebook is seen as a major boost for the FIDO Alliance standard.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews