Facebook and Two Factor Authentication (2FA) - for better or worse?

The recent news around Facebook security and the visibility in the media of identity loss stories have some positive outcomes.

The recent news around Facebook security and the visibility in the media of identity loss stories have some positive outcomes - end users are slowly being introduced to new terms and security concepts by companies such as Google, Facebook and Dropbox in an attempt to educate the Internet population about security.

As technologists, we don't make it easy for users to understand technologies when we have so many acronyms and catchy (for some) code names. Most users wouldn't have any idea what SSL, TLS and HTTPS stand for, let alone care about the differences between them, and many don't understand that websites with a https:// and a gold coloured browser lock may be secure, but may not be a trustworthy place to provide your personal details. https certificates are cheap, and many phishing websites use them to convince users they are trustworthy.

The challenge of educating users so they make a fewer number of security impacting errors needs continued effort by providers of Internet content services from Amazon to Google to Microsoft to Yahoo, as well as support from Governments and action groups like the Australian Safer Internet Group.

the new https facebook URL

On Wednesday 26th of January 2011 Facebook announced the release of several new tools to help users stay safe while using the site. Most interestingly, users are now able to enable two factor authentication (via an SMS token) to add an additional layer of security to logins, as well as browse the Facebook site via https. These changes are in addition to the Account Settings released late 2010 which enabled registration and tracking of Facebook logins and the ability to remotely 'end' a Facebook login (the ability to end sessions via SMS is not currently available to Australian users).

Facebook login approval

The two factor authentication process works as expected. If enabled from the Account Settings section within Facebook, users enter their email and password and are prompted to enter an additional code that will verify them as the account owner. An SMS code is sent to the users registered phone number and the user session is allowed access to Facebook. The site uses the mobile phone number from the Facebook user's profile.

Facebook account security

Once the session is established, the time and date details of that session along with rudimentary geolocation information is also collected by Facebook. This allows users to check where logins to Facebook have been originated and gives users a clearer understanding of whether their account has been compromised through the loss of their password.

Enter SMS security code

Paul Ducklin, from security vendor Sophos, approves. "The new feature means that you'll get warnings about unauthorised access attempts pushed to you. Furthermore, the crooks won't be able to login because they won't have the magic code in the SMS which is needed to proceed."

However, during the recent AusCERT2011 conference on the Gold Coast Amit Klein of Trusteer added another two acronyms as he warned that the criminals were targeting smartphone devices to specifically intercept SMS token security technologies; MITMO for 'man in the mobile' and ZITMO for 'zeus in the mobile' may not have caught on widely in daily banter but as concepts present a challenging threat.

Malware which takes over the device used for what would otherwise be considered 'out of band' (a mobile phone) and works hand in hand with malware which is installed on the PC is a truly scary idea.

A number of security vendors are working on anti-malware and anti-virus solutions for smartphones. This includes Kaspersky Lab who provide protection for Android, Nokia Symbian OS and Windows Mobile devices. Kaspersky Mobile 9 also offers the ability to locate a lost phone via GPS, local encryption of contacts, the ability to block outgoing SMSs with whitelists and blacklists, and a remote wipe function.

Kaspersky Mobile 9 was clearly a response to user requests. Sergev Nevstruev, Director of Mobile Services at Kaspersky Lab stated "We always listen to our clients' preferences and desires, whether in connection with the capabilities of our solutions, or our distribution channels".

Facebook’s two factor authentication (2FA) implementation does have potential limitations, once you log in from one computer and provide the 2FA authentication authorising that machine and browser combination you never need to re-authenticate with an SMS token for that machine/browser again.

your recognised devices

Sessions from an iPhone using the Facebook app didn't register against the devices Facebook had recorded, although Facebook forced the Facebook app to login using the account username with an SMS token instead of a password once Account Security was enabled.

Ducklin continues. "It's a pity Facebook isn't offering an option to let you enable 2FA every time you login. It would be even nicer if they added a token-based option (and they'd be welcome to charge a reasonable amount for the token) for the more security-conscious user." Some banks, such as the Commononwealth Bank, provide security hardware tokens which require the user to enter a 6 digit number which the device produces at the push of a button.

So are users catching on? Only time will tell but compared to a couple of years ago your users are more likely to understand Internet security concepts because of the non-work applications they use from their home computers and that makes the job of an enterprise security architect just a little easier. 

Read more on Data breach incident management and recovery