Facebook rolls out safer logins with a security key

No one wants to hand over their account to a hacker. Today, Facebook is adding a new feature that will help protect users from getting their accounts compromised.

Facebook users can now use a security key to authenticate their identity during the login process. If you use a security key, hackers won’t be able to get into your Facebook account, even if they have your username and password.

Security keys are a form of two-factor authentication — an optional extra layer of security that helps you prove your identity when you log in.

During a typical two-factor authentication process, the user enters their username and password, then the site they’re logging in to responds by texting them verification code. The user enters the verification code, proving that he or she is the proper user of the account, and not a hacker logging in with a stolen password.

But this method has its downfalls. A determined attacker can reset the SIM for the user’s phone and intercept the SMS messages, as we saw in the targeted hack of the activist DeRay Mckesson last summer.

Security keys solve this problem by cutting out the need to transmit the verification code to the user. Keys like those manufactured by Yubico fit into a USB port and can generate a one-time code at the tap of a finger — and, unlike SMS, these codes can’t be captured without physical access to the security key itself. In addition to being more secure, security keys make the login process with two-factor authentication feel a bit faster and more seamless because you don’t have to sit around waiting for the text message to be delivered. Conveniently, security keys still work even when text messages don’t, so you don’t lose access to your accounts just because you don’t have cell service.

If you already use a security key to log into your accounts on Google or Dropbox, you don’t need a new one. You can use the same key across all your accounts.

Brad Hill, a security engineer at Facebook, says it was easy for the company to roll out the feature because it was already used in-house by the engineering staff for logging in to internal systems. It was simply a matter of extending the feature to Facebook’s users.

“We don’t consider two-factor a mandatory thing,” Hill explains. “We see account security as our responsibility regardless of technologies you choose to use. For people who want to stay in control, this would be a good choice for someone who wants to stay ahead of even the most advanced attacks.”

Unfortunately, there’s not a great way to integrate security keys with most mobile devices yet. When logging into their Facebook accounts on mobile, most users will still have to go through the regular old two-factor SMS process (Facebook also lets users generate their verification code through the Facebook app). Users with NFC-capable Android devices and the latest versions of Chrome and Google Authenticator can use an NFC-capable key to verify their identity on the Facebook mobile website.

The challenge of using a security key with a mobile device is one Hill expects to see addressed in the future. Although access is currently limited to certain Android users, Hill says he anticipates more APIs on the Android platform that will support security keys — and that other platforms will follow suit.

Ready to activate your security key? Go to Security Settings in your account and click “Add Key.” (Note: This will only work if you’re using the Chrome or Opera browser.)