As part of a security and privacy revamp, Facebook is offering users worried about their privacy and potential account compromises a new authentication procedure, one that relies upon a physical security key to perform extra authentication before an account can be accessed.
Starting today, the social network will support security keys, USB thumb drives that plug into a Mac or PC and use the FIDO Alliance's open Universal 2nd Factor (U2F) standard to provide cryptographic proof of identity. The keys, such as those sold by Yubico, can be registered to an account through the two factor authentication settings in the security menu.
Facebook does already offer two-factor authentication as an extra security measure, with account holders able to use the Facebook app to generate a code or to have one sent in a text message to their phone. While suitable for the majority of users, there is still the possibility of the SMS being intercepted by an attacker, or simply not arriving in a timely manner, making it weaker.
By using the physical security key, Facebook advises the login process with two-factor authentication can be quicker than the other methods, and also effectively makes the account immune to phishing attempts. It is also possible for the key to be reused as proof for other services, including Google accounts and Dropbox, allowing for multiple services to be protected using the same key.
While the additional security is useful, it does have its limitations in terms of compatibility. Safari is not a supported browser, so macOS users will have to use Opera or Chrome to log in using a security key, and it doesn't work when logging in via an iPhone or iPad, requiring mobile users to continue using one of the other two-factor authentication methods.
One small barrier to users is the need to buy a physical key, which for Yubico's supported YubiKeys start from $18 for a basic key, rising to $50 for models with more functions. Some of the more expensive keys also include NFC, which can be used to authenticate with the Facebook mobile site on an Android device, though not currently the Facebook app.