Facebook finally adds proper 2 Factor Authentication

Yes, you can now protect your Facebook account with 2FA using an app such as Duo Mobile or Google Authenticator or by using a U2F key like a Yubikey.

For the latter you'll need a browser which supports U2F. Firefox doesn't natively but you can install the U2F addon and then Custom UserAgent String to change your browser's UserAgent to fool Facebook into thinking you're using a Chrome browser which supports U2F.

I've tested it with the Duo Authenticator app and both Yubikey 4 and Yubikey U2F keys and all is good.

More information from Facebook - https://www.facebook.com/help/401566786855239?pnref=...

Edited by caffn8me (Fri 27-Jan-17 01:05:38)

I do not see the advantage over getting a text code sent to my phone?

Two things off the top of my head - you don't have to wait for the code to arrive, and are you aware that sms has been compromised and is essentially open?

Its still relatively secure. To access your sms they need to know your number and what phone you have.

In reference to www.theregister.co.uk/2016/12/06/2fa_missed_warning/:

It is easy to subvert, however; attackers with basic target information can easily trick phone companies into porting numbers after passing identity checks. This has been used by fraudsters to ensure banks' transfer warning SMS never reach victims.

Firstly, as highlighted by BatBoy, SMS is insecure. There are protocol vulnerabilities and it's not necessary to port a phone number to intercept SMS, nor do you need to install anything on the target phone or have physical acces to it. See SS7 hack explained: what can you do about it?.

If someone's going to hack into your Facebook account they need your password and email address. It they already have both of those, there's a reasonable chance they have your mobile number too. SMS interception isn't rocket science. You might want to check to see if any passwords associated with your email address have been compromised at https://haveibeenpwned.com/

Secondly, if you have no mobile signal you can't get an SMS but you can still use an authenticator app.

Thirdly, if you don't have your mobile at all, you can still use a USB token.

Finally, it's a lot faster to use either a hardware token or an authenticator app (which is free) than it is to wait for SMS delivery.

It's free, fast and secure. What's not to like?

Edited by caffn8me (Fri 27-Jan-17 12:27:27)

A shame Facebook itself could not explain the advantages to me with such comprehensive clarity.

For someone to access my Facebook for example they need my username and password (to initiate a sms code), and then my phone number along with my name, dob or address to convince my service provider they are me.

Would an attacker bother to go to those lengths? Or would they go for the easy option of attacking people without 2 step verification?

No they don't. They need your email address and password and they need your mobile phone number. That's all.

Forgive my ignorance but how would i say intercept your sms if i knew your number?

I always thought it required the attacker to pretend he was you to get a sim swap to a sim card he owned.

There are major vulnerabilities in the SS7 protocol which is used by mobile phone networks. One particular vulnerability relates to roaming on other networks and this cannot be protected without disabling roaming. It is this vulnerability which enables third parties to impersonate a subscriber and intercept SMS messages.

Briefly, the mobile network knows how to get messages and calls to your phone because your phone registers with the network and says where it is. If a rogue device pretends to be your phone (all that's needed is the number), calls and messages can be routed to the new device.

It's discussed here;

In reference to uk.sans.org/reading-room/whitepapers/critical/fall-ss7--critical-se...:

4.1.5. Interception � SMS

The updateLocation message is used to update the subscriber�s location in the
network. It informs the network of which VLR/MSC the subscriber is currently
connected to.

Using a fake updateLocation message the attacker claims that the victims MS is
connected to their MSC. In this case, the subscriber SMSs will be forwarded to the
attacker�s SMS center to be delivered to the MS. (Engel, 2014, p42) In addition to
intercepting personal SMSs of the target, this attack can be used against authentication
systems that utilize SMS verification (SMS token, Facebook verification, etc.) and could
lead to the compromise of the target�s identity.

and in more detail in Tobias Engel's 2014 paper SS7: Locate. Track. Manipulate.

Edited by caffn8me (Fri 27-Jan-17 15:45:40)

I do not like 2FA, it is a pain in the neck, this was one of the reasons I left Vodafone for their mobile service because they forced it onto us.

I feel it's more of a reassurance than a pain.

What may be a minor inconvenience to me is a major pain in the backside for hackers.

It just takes a little longer to log in but I know that on the sites for which I have 2FA enabled, if their password databases get hacked, my accounts still shouldn't be compromised.

And its a once only effort for your trusted devices (ie non-shared personal devices only you have physical access to).