Technical Discussion
  >> Security Related Issues


Register (or login) on our website and you will not see this ad.


Pages in this thread: 1 | 2 | (show all)   Print Thread
Standard User caffn8me
(knowledge is power) Fri 27-Jan-17 01:00:21
Print Post

Facebook finally adds proper 2 Factor Authentication


[link to this post]
 
Yes, you can now protect your Facebook account with 2FA using an app such as Duo Mobile or Google Authenticator or by using a U2F key like a Yubikey.

For the latter you'll need a browser which supports U2F. Firefox doesn't natively but you can install the U2F addon and then Custom UserAgent String to change your browser's UserAgent to fool Facebook into thinking you're using a Chrome browser which supports U2F.

I've tested it with the Duo Authenticator app and both Yubikey 4 and Yubikey U2F keys and all is good.

More information from Facebook - https://www.facebook.com/help/401566786855239?pnref=...

Sarah

--
If I can't drink my bowl of coffee three times daily, then in my torment, I will shrivel up like a piece of roast goat

Spiders on coffee - Badass spiders on drugs

Edited by caffn8me (Fri 27-Jan-17 01:05:38)

Standard User gomezz
(eat-sleep-adslguide) Fri 27-Jan-17 09:51:41
Print Post

Re: Facebook finally adds proper 2 Factor Authentication


[re: caffn8me] [link to this post]
 
I do not see the advantage over getting a text code sent to my phone?

BT Infinity 1 (unlimited)
Standard User BatBoy
(sensei) Fri 27-Jan-17 10:15:47
Print Post

Re: Facebook finally adds proper 2 Factor Authentication


[re: gomezz] [link to this post]
 
Two things off the top of my head - you don't have to wait for the code to arrive, and are you aware that sms has been compromised and is essentially open?


Register (or login) on our website and you will not see this ad.

Standard User bobble_bob
(knowledge is power) Fri 27-Jan-17 11:00:16
Print Post

Re: Facebook finally adds proper 2 Factor Authentication


[re: BatBoy] [link to this post]
 
Its still relatively secure. To access your sms they need to know your number and what phone you have.
Standard User BatBoy
(sensei) Fri 27-Jan-17 11:06:30
Print Post

Re: Facebook finally adds proper 2 Factor Authentication


[re: bobble_bob] [link to this post]
 
It is easy to subvert, however; attackers with basic target information can easily trick phone companies into porting numbers after passing identity checks. This has been used by fraudsters to ensure banks' transfer warning SMS never reach victims.
Standard User caffn8me
(knowledge is power) Fri 27-Jan-17 12:19:21
Print Post

Re: Facebook finally adds proper 2 Factor Authentication


[re: gomezz] [link to this post]
 
Firstly, as highlighted by BatBoy, SMS is insecure. There are protocol vulnerabilities and it's not necessary to port a phone number to intercept SMS, nor do you need to install anything on the target phone or have physical acces to it. See SS7 hack explained: what can you do about it?.

If someone's going to hack into your Facebook account they need your password and email address. It they already have both of those, there's a reasonable chance they have your mobile number too. SMS interception isn't rocket science. You might want to check to see if any passwords associated with your email address have been compromised at https://haveibeenpwned.com/

Secondly, if you have no mobile signal you can't get an SMS but you can still use an authenticator app.

Thirdly, if you don't have your mobile at all, you can still use a USB token.

Finally, it's a lot faster to use either a hardware token or an authenticator app (which is free) than it is to wait for SMS delivery.

It's free, fast and secure. What's not to like?

Sarah

--
If I can't drink my bowl of coffee three times daily, then in my torment, I will shrivel up like a piece of roast goat

Spiders on coffee - Badass spiders on drugs

Edited by caffn8me (Fri 27-Jan-17 12:27:27)

Standard User gomezz
(eat-sleep-adslguide) Fri 27-Jan-17 12:33:21
Print Post

Re: Facebook finally adds proper 2 Factor Authentication


[re: caffn8me] [link to this post]
 
A shame Facebook itself could not explain the advantages to me with such comprehensive clarity.

BT Infinity 1 (unlimited)
Standard User bobble_bob
(knowledge is power) Fri 27-Jan-17 13:34:07
Print Post

Re: Facebook finally adds proper 2 Factor Authentication


[re: BatBoy] [link to this post]
 
For someone to access my Facebook for example they need my username and password (to initiate a sms code), and then my phone number along with my name, dob or address to convince my service provider they are me.

Would an attacker bother to go to those lengths? Or would they go for the easy option of attacking people without 2 step verification?
Standard User caffn8me
(knowledge is power) Fri 27-Jan-17 13:59:10
Print Post

Re: Facebook finally adds proper 2 Factor Authentication


[re: bobble_bob] [link to this post]
 
No they don't. They need your email address and password and they need your mobile phone number. That's all.

Sarah

--
If I can't drink my bowl of coffee three times daily, then in my torment, I will shrivel up like a piece of roast goat

Spiders on coffee - Badass spiders on drugs
Standard User bobble_bob
(knowledge is power) Fri 27-Jan-17 14:24:58
Print Post

Re: Facebook finally adds proper 2 Factor Authentication


[re: caffn8me] [link to this post]
 
Forgive my ignorance but how would i say intercept your sms if i knew your number?

I always thought it required the attacker to pretend he was you to get a sim swap to a sim card he owned.
Pages in this thread: 1 | 2 | (show all)   Print Thread

Jump to