January 30, 2017
Facebook's support for USB security keys is a good move and one others should follow
In an attempt to increase the security of online accounts, Facebook has added support for 2 factor authentication using USB security keys.
The security keys supported are ones that support a standard called U2F which stands for Universal 2nd Factor authentication. Logging into Facebook still involves using a username and password but the 2nd factor of the process is simply a matter of inserting the key into the computer and touching a metallic part of the key. The process is faster than using an SMS text message or special authenticator app and it is potentially more secure.
U2F was designed to provide a physical device that wasn't susceptible to hackers using "man in the middle attacks". Theoretically, a hacker could reproduce the login page of a bank or a service like Google and get the user to put their username and password in. Even when a text message is sent to the phone or an application like Google Authenticator is used, the fake login screen can simply capture that information from the user and pass it on to log in.
With U2F, the exchange of information that is provided by the secure key is able to prevent this type of attack and even alert the user to the fact that the login screen was fake.
Using SMS text messages to receive a second key also suffers from the problem that hackers can use a variety of means to intercept text messages. Hackers have been able to socially engineer telecommunications providers and get replacement SIM cards sent to them to hijack a person's phone. It is also possible to get text messages re-routed to another number using a weakness in mobile wireless communication protocols. Hackers can also use fake mobile phone towers to intercept the text messages.
There are a number of issues with security keys however. They cost between US$18 and US$50 and they currently only work with modern versions of the Chrome and Opera browsers on computers and Android phones that support NFC.
The other problem is that at present, you can only use a security key using U2F to log into Google, Facebook, GitHub, Salesforce and Dropbox.
There is no sign that Apple is planning to add support for U2F in its Safari browser or as a second factor in authorising iCloud logins. Currently, 2 factor authentication for iCloud logins involves a second Apple device providing a code. This suffers the same vulnerability to man in the middle attacks shown by using an SMS or other authenticator application. When Touch ID can be used, like on the new MacBook Pro laptop or even on Apple mobile devices, it is not used as a second factor but as a convenient way to access the main password.
Two factor authentication using SMS messages, or better still, applications like Google Authenticator, is still far more secure than using a simple username and password. Using a secure key makes the process faster and more convenient and increases the level of security. For this reason, it is good news that Facebook has added support for U2F and it would be hugely beneficial if more sites and companies like Apple were to support this form of security.
Having personally used a Yubico U2F USB-C key with a MacBook for the past few weeks, the experience has been far more positive than using the Google App which was slower and more cumbersome than the simple operation of sticking the USB key in and touching it to authenticate. I keep the key with my other physical keys and so it is always at hand and harder to lose. If the key is not available, it is still possible to revert to using SMS or a secondary form of authentication for most applications.