Facebook joins online services like Google, Dropbox, Salesforce, and GitHub in enhancing user logins with hardware security keys to help prevent attackers from breaking into user accounts. Google and Facebook are among the largest names supporting universal second factor (U2F), and it's taking way too long for other companies to do the same.
Many online sites and services, Facebook included, already let users turn on two-factor authentication to secure accounts with stronger items than passwords. However, the decision to support FIDO-compliant U2F keys takes the security mindset a step further.
With U2F, Facebook relies on the cryptographic token stored on the USB key plugged into the user's computer for authentication. There's no need to send one-time passwords over SMS or to generate them on a mobile app. Since the token can't be intercepted by malware or via phishing, user accounts are more resistant to account hijackings.
An open authentication standard created by Google and Yubico and hosted by open-authentication industry consortium FIDO Alliance, U2F specifies how online service interact with hardware devices to ensure the person trying to log in is the actual owner of the account. The beauty of U2F is that a single device can be used on any number of online services that support the standard, without needing to install any software drivers or configure a client software. It can also co-exist with other authentication protocols, so the service can support multiple two-factor authentication schemes without going all-in on U2F.
Enhanced user security that's easy
Users interested in securing their Facebook accounts simply need to have a U2F security key and either Chrome or Opera, and turn on the option under Login Approvals under Facebook Settings > Security. During login, the user taps the USB key connected to the computer to verify the login process. Facebook treats the key as a trusted device, so it remembers the device so long as the browser's cache is not cleared.
Even if an attacker manages to trick the user into entering the password on a phishing site, obtains the password from one of the many password lists floating around from data breaches against other sites, or guesses the weak password, he can't intercept that cryptographic token without physically having the key. While it's possible for the attacker to somehow trick the user into handing over the physical key and the password, it requires more work for the attack to succeed.
While Yubikeys, from the company Yubico, may be the best-known security key, there are other FIDO-compliant U2F keys. They're relatively inexpensive, with prices as low as $12, and Yubico's cheapest Yubikey, the U2F Security Key, is $18. There are even DIY instructions on making the keys.
Why isn't U2F a no-brainer?
Considering the number of prominent members in the FIDO Alliance, it's perplexing that only a handful of public online sites have adopted the new authentication protocols. Microsoft is a member, but Outlook.com users can't secure their accounts with hardware security keys. PayPal at one point had limited support for Yubikeys, but it doesn't currently support U2F.
From the user's standpoint, the barrier for entry for adopting U2F security keys is extremely low: it's easy to use and not that expensive. But it's extremely irritating to have a U2F security key and not find more sites that work with it.
The roadblock appears to be the site owners, since each service has to make the changes to required to support U2F. It doesn't help that Chrome and Opera are the only web browsers currently supporting the standard fully.
Facebook integrated FIDO U2F Security Key into its platform by using u2f-ref-code, an open source library provided by Google, said Brad Hill, a Facebook security engineer. The library implements the FIDO U2F specifications and includes a wrapper for the Chrome browser's proprietary API, which lets the web application access the USB U2F devices using the U2F API. There are plans to switch to the Web Authentication API when it becomes available, as it "should work in a uniform way across multiple browsers," Hill said. The Web Authentication API is currently being standardized in the W3C.
There are a number of client and server-side U2F libraries available to start and finish registrations, as well as start and finish authentication, in the web server.
It's not even the chicken-and-egg problem, where services don't want to support a mechanism if there aren't enough users. A single key can support multiple sites, which means users who already have a key for Gmail, or now with Facebook, will be able to use the same key for any other site that supports the key.
There's also no need to turn off existing two-factor authentication schemes, so online services can offer options to users and let them decide the level of security they're most comfortable with. In fact, it's recommended to have multiple mechanisms in place in case one layer doesn't work (such as the user losing a key).
Proven security benefits
The security or effectiveness of the keys isn't in doubt, either. Over a two-year period Google deployed Yubikeys internally, providing one key per computer, or about two keys per employee, across its 50,000-plus workforce. It found that security keys beat out smartphones and most other forms of two-factor verification in terms of ease of deployment, simplicity of use, and ability to prevent phishing and other account takeover attacks, the company said in a whitepaper.
Security benefits may be difficult to quantify, since they're evident only when something bad doesn't happen, but the researchers noted that total average time spent logging on with keys dropped nearly two-thirds compared to using an OTP sent over SMS messages. There was also no risk of the user incorrectly entering the code since the key requires a mere tap. Support costs dropped because there were fewer authentication-related calls to the help desk, and Google claimed to have saved money using the security keys even with the upfront costs of buying the keys.
Who's next?
By adding support for U2F to its login process, Facebook brings the security keys a step closer to the average user. With all the data breaches headlines of the past 18 months and reports of compromised email servers, there's a lot of concern about passwords and account security. There are plenty of sites offering SMS-based authentication to users, but with the National Institute of Standards and Technology suggesting that mechanism should be deprecated, new methods are necessary. Not everyone wants to use the mobile app to generate OTP. U2F security keys fill the gap.
With Facebook joining Google and others, users interested in U2F now have more accounts that can benefit from buying the security key. More brands must join the U2F plunge so that we can take advantage of the post-password world they've long been promised.