23 comments

[ 3.9 ms ] story [ 51.1 ms ] thread
Would be curious to hear how their in-house TFA compares to some of the big enterprise vendors in the market
Given the timing on this, I can't see it as anything but an attempt to distract from the fiasco currently going on with Facebook hiring a PR firm to smear Google.

That said, this is a pretty cool feature, and seems to play into Facebook's ongoing attempt to become the standard for identity on the internet - added security is a really good thing when your entire identity is tied to a single service.

Given the timing on this, I can't see it as anything but an attempt to distract from the fiasco currently going on with Facebook hiring a PR firm to smear Google.

I highly doubt that. The two groups responsible for each probably aren't aware of what the other party is working on. I don't see Facebook launching a feature if it isn't ready, nor do I see them holding a feature back that is ready.

In fact, the article says: "Even interns like myself are tasked with big projects to help improve account security. Instead of working on mundane tasks and simple problems, interns are given high-impact assignments that reach out to hundreds of millions users every time they use Facebook. "
Which would seem to explain why Facebook occasionally grinds to a halt for a few minutes until something gets reverted.
Yeah, I work on the team that launched this, all that google privacy PR stuff is just poorly timed - they're completely unrelated.

I wish this launch hadn't been tarnished / buried by it :-(.

I'm sure they didn't stop other development and allocate all their resources to the smear campaign. They just happened to be going on at the same time.
I tried to turn this on and never got the SMS confirmation they send, so I couldn't turn it on. That is kind of my worry with this kind of thing... if it doesn't work when you need to login, you are screwed. Why not just have the Facebook app generate the code?
Facebook has been aching for my phone number and other details. Do you think this is security driven or put out as an entryway into greater interaction with your phone? I should note that I am old school and don't use a smartphone so that is part of my approach to thinking about this.
Interns keep kicking ass at Facebook.
Interesting point "If you ever lose or forget your phone and have login approvals turned on, you will still have the option to authorize your login provided you are accessing your account from a saved device."

In contrast to Google's solution which provides you with a set of fallback codes.

This seems to me like just another backdoor way of being able to build a more robust database of personal information on you. With your mobile number and the numbers of all your friends, in coordination with the cell carriers (or NSA, whichever you prefer) they can tie together data about who you call & how often with your friend activity on Facebook. Google has been doing it too, asking for a "mobile number backup" when you log into Gmail.

Just the next erosion of our privacy, disguised as a protection of our privacy.

And/or facebook's solution to the Firesheep vulnerability. (Can someone confirm that this solves the firesheep problem?)
Bullshit conspiracy theories. How can something that is opt-in be an erosion of privacy? By default it is not enabled. Just don't use it and you're fine.
It's pretty standard practice to roll out a feature as optional and gauge reaction before making it mandatory.
Bullshit conspiracy theories.

Hyperbole would be a more apt description.

How can something that is opt-in be an erosion of privacy?

Quite easily. You can choose to use a service without fully understanding the privacy implications. I don't think we can expect the general public to be infosec and personal rights experts.

Wow, this is some crazy.

If you start by assuming they have access to the cell carrier data (which is a super-mega-wacky assumption), why do they need you to provide your number in the first place? They can just look it up in the billing, which ties to a verified address.

And even if you really are this paranoid, you can just use a $10 burner phone for this authentication.

Google, Paypal, World of Warcraft, Mailchimp, etc. have all implemented user-facing two-factor auth also. It's the easiest way for them to protect against endpoint insecurity when attackers are going after user credentials en masse.

For any other site looking to implement this, check out our open-source web SDKs and service at Duo Security:

http://www.duosecurity.com https://github.com/duosecurity

At the very least, we highly recommend folks use it to protect their own cloud/datacenter infrastructure, and have made it free to do so (assuming you have 10 or less admins):

http://blog.duosecurity.com/2011/04/ssh-keys-that-call-you-b...

We support callback, SMS, mobile apps for 7 platforms, as well as traditional hardware tokens for online and offline use...

It’s great that Facebook is strengthening security by using two-factor authentication. People share so much personal information on Facebook that relying on a single layer of password protection is simply not enough. However, sending a code by SMS text message is not very secure because they are sent in clear text. If the user were to lose their phone or have it stolen, anybody could read that text message and fraudulently authenticate.

More websites need to use two-factor authentication like Facebook is doing, but a more secure and easier-to-use approach is to send an image-based authentication challenge to the user’s phone, like Confident Technologies provides: http://bit.ly/dMNzB5. A grid of pictures is displayed on the user’s smartphone and to authenticate, the user must correctly identify the pictures that fit their pre-chosen, secret categories. Even if someone else had possession of your phone, they wouldn’t be able to authenticate because they wouldn’t know your secret picture categories.