Technical Discussion
  >> Security Related Issues


Register (or login) on our website and you will not see this ad.


Pages in this thread: 1 | 2 | (show all)   Print Thread
Standard User caffn8me
(knowledge is power) Fri 27-Jan-17 01:00:21
Print Post

Facebook finally adds proper 2 Factor Authentication


[link to this post]
 
Yes, you can now protect your Facebook account with 2FA using an app such as Duo Mobile or Google Authenticator or by using a U2F key like a Yubikey.

For the latter you'll need a browser which supports U2F. Firefox doesn't natively but you can install the U2F addon and then Custom UserAgent String to change your browser's UserAgent to fool Facebook into thinking you're using a Chrome browser which supports U2F.

I've tested it with the Duo Authenticator app and both Yubikey 4 and Yubikey U2F keys and all is good.

More information from Facebook - https://www.facebook.com/help/401566786855239?pnref=...

Sarah

--
If I can't drink my bowl of coffee three times daily, then in my torment, I will shrivel up like a piece of roast goat

Spiders on coffee - Badass spiders on drugs

Edited by caffn8me (Fri 27-Jan-17 01:05:38)

Standard User gomezz
(eat-sleep-adslguide) Fri 27-Jan-17 09:51:41
Print Post

Re: Facebook finally adds proper 2 Factor Authentication


[re: caffn8me] [link to this post]
 
I do not see the advantage over getting a text code sent to my phone?

BT Infinity 1 (unlimited)
Standard User BatBoy
(sensei) Fri 27-Jan-17 10:15:47
Print Post

Re: Facebook finally adds proper 2 Factor Authentication


[re: gomezz] [link to this post]
 
Two things off the top of my head - you don't have to wait for the code to arrive, and are you aware that sms has been compromised and is essentially open?


Register (or login) on our website and you will not see this ad.

Standard User bobble_bob
(knowledge is power) Fri 27-Jan-17 11:00:16
Print Post

Re: Facebook finally adds proper 2 Factor Authentication


[re: BatBoy] [link to this post]
 
Its still relatively secure. To access your sms they need to know your number and what phone you have.
Standard User BatBoy
(sensei) Fri 27-Jan-17 11:06:30
Print Post

Re: Facebook finally adds proper 2 Factor Authentication


[re: bobble_bob] [link to this post]
 
It is easy to subvert, however; attackers with basic target information can easily trick phone companies into porting numbers after passing identity checks. This has been used by fraudsters to ensure banks' transfer warning SMS never reach victims.
Standard User caffn8me
(knowledge is power) Fri 27-Jan-17 12:19:21
Print Post

Re: Facebook finally adds proper 2 Factor Authentication


[re: gomezz] [link to this post]
 
Firstly, as highlighted by BatBoy, SMS is insecure. There are protocol vulnerabilities and it's not necessary to port a phone number to intercept SMS, nor do you need to install anything on the target phone or have physical acces to it. See SS7 hack explained: what can you do about it?.

If someone's going to hack into your Facebook account they need your password and email address. It they already have both of those, there's a reasonable chance they have your mobile number too. SMS interception isn't rocket science. You might want to check to see if any passwords associated with your email address have been compromised at https://haveibeenpwned.com/

Secondly, if you have no mobile signal you can't get an SMS but you can still use an authenticator app.

Thirdly, if you don't have your mobile at all, you can still use a USB token.

Finally, it's a lot faster to use either a hardware token or an authenticator app (which is free) than it is to wait for SMS delivery.

It's free, fast and secure. What's not to like?

Sarah

--
If I can't drink my bowl of coffee three times daily, then in my torment, I will shrivel up like a piece of roast goat

Spiders on coffee - Badass spiders on drugs

Edited by caffn8me (Fri 27-Jan-17 12:27:27)

Standard User gomezz
(eat-sleep-adslguide) Fri 27-Jan-17 12:33:21
Print Post

Re: Facebook finally adds proper 2 Factor Authentication


[re: caffn8me] [link to this post]
 
A shame Facebook itself could not explain the advantages to me with such comprehensive clarity.

BT Infinity 1 (unlimited)
Standard User bobble_bob
(knowledge is power) Fri 27-Jan-17 13:34:07
Print Post

Re: Facebook finally adds proper 2 Factor Authentication


[re: BatBoy] [link to this post]
 
For someone to access my Facebook for example they need my username and password (to initiate a sms code), and then my phone number along with my name, dob or address to convince my service provider they are me.

Would an attacker bother to go to those lengths? Or would they go for the easy option of attacking people without 2 step verification?
Standard User caffn8me
(knowledge is power) Fri 27-Jan-17 13:59:10
Print Post

Re: Facebook finally adds proper 2 Factor Authentication


[re: bobble_bob] [link to this post]
 
No they don't. They need your email address and password and they need your mobile phone number. That's all.

Sarah

--
If I can't drink my bowl of coffee three times daily, then in my torment, I will shrivel up like a piece of roast goat

Spiders on coffee - Badass spiders on drugs
Standard User bobble_bob
(knowledge is power) Fri 27-Jan-17 14:24:58
Print Post

Re: Facebook finally adds proper 2 Factor Authentication


[re: caffn8me] [link to this post]
 
Forgive my ignorance but how would i say intercept your sms if i knew your number?

I always thought it required the attacker to pretend he was you to get a sim swap to a sim card he owned.
Standard User caffn8me
(knowledge is power) Fri 27-Jan-17 15:29:24
Print Post

Re: Facebook finally adds proper 2 Factor Authentication


[re: bobble_bob] [link to this post]
 
There are major vulnerabilities in the SS7 protocol which is used by mobile phone networks. One particular vulnerability relates to roaming on other networks and this cannot be protected without disabling roaming. It is this vulnerability which enables third parties to impersonate a subscriber and intercept SMS messages.

Briefly, the mobile network knows how to get messages and calls to your phone because your phone registers with the network and says where it is. If a rogue device pretends to be your phone (all that's needed is the number), calls and messages can be routed to the new device.

It's discussed here;
4.1.5. Interception – SMS

The updateLocation message is used to update the subscriber’s location in the
network. It informs the network of which VLR/MSC the subscriber is currently
connected to.

Using a fake updateLocation message the attacker claims that the victims MS is
connected to their MSC. In this case, the subscriber SMSs will be forwarded to the
attacker’s SMS center to be delivered to the MS. (Engel, 2014, p42) In addition to
intercepting personal SMSs of the target, this attack can be used against authentication
systems that utilize SMS verification (SMS token, Facebook verification, etc.) and could
lead to the compromise of the target’s identity.
and in more detail in Tobias Engel's 2014 paper SS7: Locate. Track. Manipulate.

Sarah

--
If I can't drink my bowl of coffee three times daily, then in my torment, I will shrivel up like a piece of roast goat

Spiders on coffee - Badass spiders on drugs

Edited by caffn8me (Fri 27-Jan-17 15:45:40)

Standard User zyborg47
(eat-sleep-adslguide) Sun 19-Mar-17 11:12:40
Print Post

Re: Facebook finally adds proper 2 Factor Authentication


[re: caffn8me] [link to this post]
 
I do not like 2FA, it is a pain in the neck, this was one of the reasons I left Vodafone for their mobile service because they forced it onto us.

Adrian

Desktop machine now powered by windows 8.1 pro 64bit, no dreaded metro, laptop by Linux

Plusnet FTTC
Standard User caffn8me
(knowledge is power) Mon 20-Mar-17 14:24:18
Print Post

Re: Facebook finally adds proper 2 Factor Authentication


[re: zyborg47] [link to this post]
 
I feel it's more of a reassurance than a pain.

What may be a minor inconvenience to me is a major pain in the backside for hackers.

It just takes a little longer to log in but I know that on the sites for which I have 2FA enabled, if their password databases get hacked, my accounts still shouldn't be compromised.

Sarah

--
If I can't drink my bowl of coffee three times daily, then in my torment, I will shrivel up like a piece of roast goat

Spiders on coffee - Badass spiders on drugs
Standard User gomezz
(eat-sleep-adslguide) Mon 20-Mar-17 15:17:37
Print Post

Re: Facebook finally adds proper 2 Factor Authentication


[re: caffn8me] [link to this post]
 
And its a once only effort for your trusted devices (ie non-shared personal devices only you have physical access to).

BT Infinity 1 (unlimited)
Pages in this thread: 1 | 2 | (show all)   Print Thread

Jump to