Facebook Touts ‘Safer’ Security Key Login

Facebook is letting users tie a physical security key to their account as an added layer of security.

Facebook is giving privacy-minded users looking to fortify their accounts yet another layer of security.

Brad Hill, a security engineer with the social network, announced on Facebook’s Security page on Thursday that effective immediately, it would let users tie a physical security key to their account.

Users can enter their password, then using a security key that plugs into a computer’s USB drive, such as Yubico’s YubiKey, tap it to verify their identity.

Hill said the move was partially done because some users may not always have a phone on hand.

“Most people get their security code for login approvals from a text message (SMS) or by using the Facebook app to generate the code directly on their phone. These options work pretty well for most people and in most circumstances, but SMS isn’t always reliable and having a phone back-up available may not work well for everyone,” Hill wrote Thursday.

For years the social network has offered a service, login approvals, in which users are asked for a special security code each time they access their account from a new computer or mobile device. Users can pair that feature with another feature, Code Generator, which creates a new security code every 30 seconds.  That code is then used in addition to a user’s password to access their account.

Hill claims that while users can start using a security key this week, the technology only works with Chrome and Opera. Facebook says it’s still working to support keys on the mobile Facebook app as well but claims users can access m.facebook.com on NFC-capable android devices. Users will have to use an additional login method – mobile phone or Code Generator – to secure entry to their accounts until the technology is more widespread.

Security tokens like the YubiKey, which stores cryptographic keys, have long been viewed as an alternative to two-factor authentication. Facebook just happens to be one of the first social networks to embrace the technology on a wider scale.

Dropbox, GitHub, and Salesforce offer users similar technologies; password managers like KeePass and LastPass also support the YubiKey. Employees at Google have used the devices, which rely on FIDO Universal Second Factor (U2F) authentication, for years.

The move is the latest in a long line of efforts from Facebook to secure its users.

Over the last few years the company has debuted a security checkup tool to give users insight on available features they might not be using.

The company has also given users the option to add end-to-end encryption to the notification emails it sends out, started warning users when their account has been targeted or compromised by a nation state campaign, and allowed users to post their public OpenPGP keys on their profile.

Suggested articles