Facebook Adds Two-Factor Authentication

angry tapir writes "To help its hundreds of millions of users prevent unauthorized access to their accounts, Facebook has added an optional verification step to its log-in process. The new security feature, called Login Approvals, is a form of two-factor authentication."

Security?

That's like putting a steel door on a straw house...

Re:Security?

[Hultis]

More like putting a steel door next to the regular one most people will still use.

Re:Security?

No, not really. That's a terrible analogy. More like offering a choice of a steel or a regular door.
And people complaining about security - pah. It doesn't have to withstand assaults from highly skilled hackers, merely stop password guessing, etc. I have university students on my friends list who are regularly being 'facebook raped' and this, perhaps, would stop some that.

Re:Security?

[Dunbal]

It's like putting TSA employees in front of a gate.

Re:Security?

[tripleevenfall]

The forest-for-the-trees here is - what's the point of having extra login security for a website that has a business model that hinges on compiling and storing your personal information to sell to advertisers?

Re:Security?

[NevarMore]

It gets them your phone number.

Re:Security?

[molnarcs]

That's like putting a steel door on a straw house...

That's not Funny (mods!) that's accurate. You set all your privacy settings to friends only. You refuse all app invitations by default. And yet, your email address and every detail you publish will be handled to spammers on a silver platter by a single person who clicked on the "who viewed your profile" scam. Facebook is becoming MySpace - a platform for spammers, scammers and virus writers, not to mention Facebook's shady partners (Zynga & Co). I quit - I still have my profile, but left a message, a note and a short blurb on my profile info with links to my blog where I explain in detail why I left and encouraging others to do so. The final straw was when a lady accused me publicly (ie on my wall) of stalking her. Had no idea who she was actually (I probably knew her - friend of a friend of a friend or sth, I never accepted friend requests from complete strangers) - probably my name was chosen randomly from her contact list when accepting one of the "who viewed your profile" invitations. I think Facebook is past its peak - it was ok and useful, but now it's more trouble than it's worth. And we do have plenty of alternatives for keeping in touch.

Re:Security?

And this "steel door" is already rotten !

SMS sniffing happens in the wild.

Also, this is just a normal evolution to connect two databases (the Tel number reveal the position log of an individual)

Re:Security?

[S.O.B.]

What's with all the door analogies? This is Slashdot. It's supposed to be a car analogy. Fine, I'll do it myself.

It's like locking a convertible when the top is down.

Re:Security?

[akayani]

It's only so they get your real name which they trade with and give to the CIA. It's nothing to do with anything but what benefits Facebook.

Re:Security?

[KingBenny]

if i translated you correctly i think i feel the same, who cares about a facebook profile? the people you know and care about don't depend on an online profile

Harvesting

[tpotus]

As someone pointed out in the article comments; This enforces fb's agenda to have its users submit as much personal info as possible to them.

Re:Harvesting

[hodet]

Of course it does. We are not their customers. We are their product.

Re:Harvesting

[curio_city]

Not only that, but this seems to make harvesting people's numbers easier as well. "To make sure you are who you say you are, check your phone. In case you are somebody that doesn't know what the phone number is, it's: 1-559- -1331. We hold ourselves to the highest standards when handling your personal information."

Protect your MafiaFarmPetVilleWars!

[L4t3r4lu5]

Give us your telephone number.

This isn't creepy at all.

Re:Protect your MafiaFarmPetVilleWars!

And now they are going to point fingers at Google and say they did it first.

Re:Protect your MafiaFarmPetVilleWars!

[dragonhunter21]

Actually Google's uses a special app, Google Authenticator. No phone number required.

Re:Protect your MafiaFarmPetVilleWars!

[ThunderBird89]

Only if you have an Android phone. Otherwise, and even if you do, you can opt for/have to use text messages, an automated phone call, or a OTP you printed earlier.

Re:Protect your MafiaFarmPetVilleWars!

[dragonhunter21]

Actually, it appears that there's not only an iPhone app, but a Blackberry app, too.

Still, I don't think I'll be taking advantage of Facebook's offer, here. Don't like the idea of Facebook having my phone number. Judging by the other comments, I can see I'm not alone.

Re:Protect your MafiaFarmPetVilleWars!

[_0xd0ad]

Implying they don't probably already have it. It's not like this is new. You've been able to link your Facebook account to your SMS number for a long time... you can get a text message whenever someone sends you a message or posts on your wall.

Hell, Slashdot does it too. Enter your mobile number in the user prefs and then there are a number of site messages that can be set to notify you via Mobile Text.

Re:Protect your MafiaFarmPetVilleWars!

[klui]

Is there an equivalent that runs on Windows, OS X, or Linux?

Re:Protect your MafiaFarmPetVilleWars!

[chrisgeleven]

The Google Authenticator app for the iPhone works perfectly.

Re:Protect your MafiaFarmPetVilleWars!

[dragonhunter21]

Blackberry and iPhone, yes. Otherwise, having the program on a non-mobile platform seems rather useless.

Re:Protect your MafiaFarmPetVilleWars!

Fucking Google also requires a phone number to "verify" your account now.

FaceBook adds Two Factor Authentication

"Because if they steal your private data, we can't sell it to them!"

Re:FaceBook adds Two Factor Authentication

[curtisk]

"Because if they steal your private data, we can't sell it to them!"

Thats so sadly funny... Facebook isn't even the least bit shy anymore, "just give us you cell/mobile number, its for safety!" I wonder what new data correlations and connections they can now make with that extra tidbit of data in that database version of you(in the database version of the world)

Re:FaceBook adds Two Factor Authentication

[pmontra]

That line seems to be very common today.

thank you (google voice | text+ | your virtual #)

This is where services like text+ shine: get an SMS throw away number and those future call center initiated contacts will get spam filtered.

Let me guess...

[msauve]

This is Facebook, so the two factors are username and password.

Re:Let me guess...

[Seumas]

I can't believe I just laughed at that. God damn it.

Re:Let me guess...

[rsmith-mac]

Passwords are too hard to remember, particularly for the hardcore Facebook addicts. Instead it will be your username and your mother's name, that way you can quickly look it up on your friends list should you forget it.

Re:Let me guess...

[syousef]

This is Facebook, so the two factors are username and password.

No they are password and captcha made of farmville goat.cx

Re:Let me guess...

With every app and advertising maker having full access anyway, I think this is what I think they have in mind. Now with TWO locks!

Re:Let me guess...

It's okay to have a covert chuckle every so often.

Re:Let me guess...

[Sulphur]

This is Facebook, so the two factors are username and password.

The two factors are zero and one.

Re:Let me guess...

This is Facebook, so the two factors are username and password.

No way I would trust Facebook with my username and password.

Re:Let me guess...

The two numbers are 1 and 1.

Re:Let me guess...

[Bing+Tsher+E]

Based on my experience with Facebook, the two factors are a browser cookie and a mouse click.

Re:Let me guess...

[pnutjam]

I assume you are joking, but I have reused website passwords in the past. I refuse to do this for facebook. I don't trust them. I certainly won't give them my cell number. This is also useless for people who browse facebook primarily on their phone. It either won't be supported by their facebook app, or someone who steals (or borrows) their phone could still get access.

Re:Let me guess...

[dgatwood]

Pretty much. A browser cookie identifies that a specific machine no longer needs to be asked for auth, which means unless you're using HTTPS, it is trivially sniffable.

Details needed

[codeButcher]

To help its hundreds of millions of users prevent unauthorized access to their accounts

Is access by FB employees and TLA agents a form of authorized access or unauthorized?

Re:Details needed

[Hultis]

It's most certainly authorized by the government and FB.

I wonder if that's available in the UK

[Chrisq]

I wonder if that's available in the UK. It would be nice to know that its costing them money every time you log in.

Re:I wonder if that's available in the UK

I'm off to write a script...

It's not two-factor authentication.

Asking two different passwords isn't considered "two-factor" authentication.

There are three factors:
1) What I know (passwords, pin)
2) What I have (tokens, smartcards)
3) What I am (retina scan, fingerprint)

For two-factor authentication you will need to have two of the three factors. Facebook uses a password and a code. It doesn't matter if they're different, it's still just one factor (what you know).

Re:It's not two-factor authentication.

[Hultis]

That code is sent to your phone though, which is something you have (and there's presumably a short time window to use that code) => two-factor authentication.

Re:It's not two-factor authentication.

[icebraining]

It sends the code to your phone, therefore it's "what I have". It's closer to a token than a password.

Better yet

[bipedalhominid]

Just give them your mother's maiden name and your SSN and get it over with. Might as well just have your paycheck auto-deposited into their accounts. That's what they really want. Please someone tell me this Facebook is a fad. Maybe between Facebook outright selling your privacy and the hackers stealing your identity the faceless masses of people using this thing will get burned enough to run off somewhere else. It's time to seriously setup the next Facebook for the sheeple, then get anonymous to attack the existing Facebook and steal everyone's info. Then when the sheeple respond with the inevitable knee-jerk reaction and leave Facebook, they'll only be looking for the next shiny/shiny to play with. So if you had FaceBook II setup and raring to go, instant net millionaires we will be. Who's with me? Any decent web coding monkeys out there?

Re:Better yet

Any decent web coding monkeys out there?

On /.? You must be new here.

Re:Better yet

[foniksonik]

Web monkeys too busy writing FB Apps and getting paid.

Re:Better yet

[bipedalhominid]

I meant monkey in a good way. There are good monkeys, I swear.

What's the duration?

[Coisiche]

So... rather then provide a fob or phone app to provide a "one-time" number that constantly changes, they'll SMS it to your phone. Well, it's not exactly instant and depending on network load can take a while (ok the 4 hour delays at new year are a bit of an exception from the norm). It seems to me that the "one-time" number has to remain valid for quite a while and every second would increase the vulnerability.

Re:What's the duration?

[rjstanford]

So... rather then provide a fob or phone app to provide a "one-time" number that constantly changes, they'll SMS it to your phone. Well, it's not exactly instant and depending on network load can take a while (ok the 4 hour delays at new year are a bit of an exception from the norm). It seems to me that the "one-time" number has to remain valid for quite a while and every second would increase the vulnerability.

Meh. Simply adding the requirement - even if the codes never expired - would decrease the ability of a "password guesser" to gain access by a factor of several thousand (probably much more). Expiring the codes after a day would be just fine. Worrying about being 1,000,000 times more secure vs. only 10,000 times more secure is a silly reason to not do it the simple way.

privacy

So now I have to trust them not to give out my phone number?

Re:privacy

[mr1911]

That would be the naive way to do it.

You would be better off assuming they will sell your phone number.

Extra layer of security

[ray_mccrae]

I heard that the two form authentication will involve both your password and verification that you've posted a derogatory story about Google to your blog.

Re:Extra layer of security

[Aladrin]

Stupid mis-click. Posting to remove bad mod. :(

as if you guys dont know....

[metalmaster]

Facebook already has millions of mobile numbers from its users. Just about everyone I know updates their facebook via sms or mobile app. In fact, the app on the HTC phone that my brother uses didnt even beat around the bush. When he connected the first time he created the account from his phone using what i suppose is his phone#@carrier address

WTF is the point?

[geekmux]

"To help its hundreds of millions of users prevent unauthorized access to their accounts..."

Gee, that's nice Farcebook. Now, what exactly are you going to do about your privacy policies that change with the wind, forcing users to constantly monitor their settings to prevent "authorized" access?

Hard to feel safe in the car when you don't trust the driver no matter how many seat belts you have on.

Facebook adds mobile phone number capture

[crush]

So Facebook gets to ask it's unsuspecting users for their mobile phone numbers in addition to the other data they now spew out into the eager hands of crackers and marketeers?

Sweet.

Facebook stupidity..

[Lumpy]

"we will text your phone."

Because our admins are too stupid to remember that in the USA it costs money to receive text messages and not everyone is a tween that has unlimited texting on their phones K?

Re:Facebook stupidity..

[icebraining]

So would it be better for them not to implement it at all because you don't want to use it?

Lots of people 1) don't live in the US, and therefore doesn't pay for incoming SMS, 2) have SMS packages or 3) don't mind paying, since it's not for every login but only when a new device is used.

If you don't want to use it, nobody forces you to.

Re:Facebook stupidity..

[ledow]

I have to say - paying to receive SMS is possibly the most stupid thing I've ever heard anyone agree to. It was back when mobile phones first came out and still is now.

The problem is not Facebook there - the problem is people who tolerate a stupid system where you can end up paying for something you never asked for.

Re:Facebook stupidity..

[Chemisor]

Ok, wise guy; what are we supposed to do about it? There are only four carriers in the US, and they all charge for receiving text messages. Obviously, you only have two options: either not own a cellphone, or to start your own carrier. Not owning a cellphone does not hurt the carrier, since they have plenty of other customers who don't mind paying for text messages, or just can't live without a cellphone. No carrier will miss you. They will, in fact, want you to leave, since you are a cheapskate who does not make them money by signing up for an expensive monthly contract. Heck, you probably use prepaid, which is not making them any money at all! Your other option of starting your own carrier is not viable due to lack of capital. You'll need to build a few million cell towers, since if you just rent from the existing carriers you'll have to conform to their pricing plans or lose money. Who will lend you the money? Nobody. So, as you can see, we're all pretty much screwed and can do nothing about it.

Re:Facebook stupidity..

[N1AK]

It makes perfect sense, if users are given the some control over which SMS are charged. You 'pay' for receiving an email (although most people do so via the effectively unlimited bandwidth they have pre-purchased). Not paying for incoming phone and text communications is why we haven't got services like google voice in the UK. It also means that their is no motivation for mobile operators to decrease the sms delivery charge because their customer isn't paying for it anyway

Re:Facebook stupidity..

I e-mailed Sprint and told them I didn't want to pay for texts, since I only receive a few a month. To summarize, they replied "No problem, we'll put you down for 200 free texts a month. Is that all you need, or can we help you with something else?". I was shocked, but service like that will retain me as a customer. I went so far as to write a response to commend them for it.
 
But I guess your way works too: do nothing. Can't be disappointed if you never try, right?

Re:Facebook stupidity..

[mikestew]

Ok, wise guy; what are we supposed to do about it?

Google Voice, as one option, and I'm pretty sure there are others. From my POV, paying for texting is like getting your TV from a company that wants $80/month: quaint, but unnecessary.

Re:Facebook stupidity..

[Lumpy]

Email is free to 99.997831% of the world. and "GASP" most smartphones have a data plan required but not the $30.00 a month TXT UR FRNDS plan. Plus email allows those that dont have a cellphone to do it as well.

It's called thinking a plan through so that the largest segment can access the feature.

Re:Facebook stupidity..

[icebraining]

Largest segment? You do know that the vast majority of the world, including the US, still uses more feature phones than smartphones?

Not to mention that for most people if you know they're FB password you can probably access their email too; from password reuse to finding their secret answer (like your candidate for vicepresident), it's almost useless as a second authentication mechanism.

And you don't need a $30/month plan to receive one SMS a month, if that. How many times do you realistically use FB from a new device?

Re:Facebook stupidity..

[icebraining]

And now I've noticed the "they're/their" error and I'm kicking myself.

Re:Facebook stupidity..

So would it be better for them not to implement it at all because you don't want to use it?

Straw man. They could just as easily have been implemented, say, a VeriSign key fob regime, like eBay/PayPal have been doing for years. But you can't send spam to a key fob.

Re:Facebook stupidity..

[rjstanford]

They already have email access. In fact, their FAQ states that if your phone is b0rked you can authorize a new computer through an email process.

Besides, if you're logging on to Facebook through a new computer, maybe you don't want to pull up your email on the same new computer? Not everyone has webmail, you know. Besides, that also removes one of the two factors - instead of a password and a device, you now need two passwords. Very different.

Re:Facebook stupidity..

T-mobile and Sprint include unlimited text messaging with their data plans. If you aren't on those carriers, and in the US, you could use Google Voice. They can text your google voice number, which will be delivered over data, and not billed as a text message. How do I know this? I have used google voice to text people from an airplanes WiFi. If it works over Wifi, then obviously you can't be billed for it.

Re:Facebook stupidity..

[icebraining]

Yes, it's definitively just as easy for the user to buy, associate with his FB account and carry around everywhere a physical fob - that most people have never heard about and at least 30% will have trouble understanding - because (s)he might want to login to Facebook from another device than it is to simply input a phone number, spend $0 and carry no extra device at all.

And it's just as easy for Facebook to have deal with helping millions of people to buy and use a strange device than simply getting a bulk SMS gateway and add a new memory table/db to their datacenter.

Have you even consider what you were writing?

Re:Facebook stupidity..

[doshell]

Well, for starters you could *gasp* forbid the operators through legislation from charging for received messages...

Re:Facebook stupidity..

[rsborg]

There are only four carriers in the US, and they all charge for receiving text messages

Soon to be three as AT&T digests T-Mobile. This SMS payment problem is only going to get worse (AT&T recently removed it's lowest tier of SMS plans and now you pay $10/mo for 1000 or $.20 a message for ad-hoc).

Re:Facebook stupidity..

There are only four carriers in the US, and they all charge for receiving text messages.

This number four, I do not think it means what you think it means.

Re:Facebook stupidity..

[panZ]

Google Voice is not an option. As of right now, Facebook will not send an SMS to a Google Voice number.

Why no email option?

[anti-pop-frustration]

This sounds like a ploy to harvest phone numbers from well meaning (if ill informed) users who care about security and who previously hadn't surrendered their phone number to facebook.

Is there a valid reason for not offering the same service via email? Using, you know, the email address that facebook already has on record.

Re:Why no email option?

[ark1]

I guess the idea is that if you do not want to login to your fb account from an untrusted computer, you wont be inclined to logging into your email account from this same machine.

Re:Why no email option?

[Bing+Tsher+E]

In that case, why would you want to be logged in from said untrusted computer in the first place?

Re:Why no email option?

I agree. Everything else I use gives me the option to use e-mail as my 2nd factor. I normally use 2 factor authentication when it's offered but in this case I'll pass.

Re:Why no email option?

Email is inherently less secure since many people have the same password for their email and Facebook accounts.

If I perform a targeted phish against you, it's far more likely that I'll also have pwned your email compared to stealing your phone/taking over your carrier/etc.

Ah, the illusion

[Haedrian]

Yeah, we have two factor authentication. Don't worry, your account is safe. Nobody can access it except you, and us, and some of it from out advertisers, but nothing to worry about. Now give us more information we can sell.

Love

Facebook.

lol

[Charliemopps]

This will only insure that the data they collect on you is actually from you... there-by making it more valuable to the tens of thousands of businesses they then turn around and sell the information to.

they immediately publish your cell #

[Loco3KGT]

Worth noting - when you supply a phone number (btw, my Google Voice number didn't work at all for this.. had to use my actual mobile #).. they immediately publish it on your profile.

Thanks Facebook! (i immediately removed it and disabled the feature)

Re:they immediately publish your cell #

[ftobin]

btw, my Google Voice number didn't work at all for this.. had to use my actual mobile #)..

Google voice doesn't work because it doesn't have an SMS gateway. Since I have the same problem, I emailed Facebook and suggested that they consider supporting sending one-time-passwords via email instead of only by SMS. It's almost as secure as receiving an SMS, especially if your email account also has 2-factor security, and doesn't cost a dime.

Re:they immediately publish your cell #

I went into the profile editor, blanked out the mobile number, and saved it. It seemed to accept that, but the SMS 2-factor auth still works. Who knows if it will stay that way....

Re:they immediately publish your cell #

[curio_city]

Worth noting - when you supply a phone number (btw, my Google Voice number didn't work at all for this.. had to use my actual mobile #).. they immediately publish it on your profile.

Thanks Facebook! (i immediately removed it and disabled the feature)

And then you can modify your privacy settings so that contact info is not viewable by any users other than you......

Re:they immediately publish your cell #

Actually the number is set to "Only Me" in the privacy settings.

It's obvious

[rpopescu]

that this is about getting the phone numbers - another way to access users and feed them delicious Facebook and approved 3rd party apps goodness, I'm sure.

is it only me?

Is it only me ..... facebook is trying to harvest personal phone number?

Simpsons memory

[w_dragon]

Kind of feels like that a scene in The Simpsons where Burns and Smithers walk through several layers of heavy security with lots of big heavy doors, only to end up in a little shed with an open door and a broken window. As long as I can click on a link and give an app the ability to write on my wall as me, with no explicit permissions to do so, I don't think extra password security is all that meaningful.

Re:Simpsons memory

[camperdave]

As long as I can click on a link and give an app the ability to write on my wall as me, with no explicit permissions to do so, I don't think extra password security is all that meaningful.

You clicked. What further permission do they need?

Re:Simpsons memory

[w_dragon]

Clicking a random link while logged into facebook is not permission to post something on my wall as me. Well, right now it is, but it shouldn't be.

Re:Simpsons memory

[rjstanford]

In all fairness, you clicked on a link which caused a big popup window to appear stating, "{APPNAME} wants to learn about all your stuff, and your friends, and write on your wall, before showing you what kind of beaver mustache you are. Mmmmkay?" to which you had to very explicitly say "APPROVE!!!" Its not like they're making it a big secret. How would you handle it, exactly?

Re: thank you (google voice | text+ | your virtual

[Edzilla2000]

Except in this case the number needs to stay valid, otherwise you can't receive a text later on if you want to log in to facebook elsewhere.

Two Factor Authentication == Phone Authentication

[Requiem18th]

Have you noticed how every news we get about "Two Factor Authentication" ALWAYS means "Mobile Phone Authentication"?

I don't know if you read TFA, I did so just to confirm it but could see it coming from miles away. It has come to be that you don't really have to ask what kind of "Two Factor Authentication" they are scheming because it always always always means "Mobile Phone Authentication"

Authority

[Wowsers]

Two factor login?

Q1: We will trawl your personal data to sell to advertisers, log in here...

Q2: Are you sure you want your details to be sold to advertisers? Log in here...

what if you never log out?

[SpinningCone]

2 factor is useless if you never log the hell out of facebook. I just want my flippin session to timeout after 30 min >_>

Re:what if you never log out?

Would have been useful to those who have been hacked because:

  1) they were tricked into giving up their password to a rogue website that pretends to be facebook

  2) they did log out, but someone after them knew their password to get back in (via keylogger or video)

Re:what if you never log out?

[_0xd0ad]

Why? You leave your computer unattended and unlocked where other people might be able to use it?

Texting?

[OhHellWithIt]

That's no good for those of us who don't have texting service on our phones. Who needs texting with a data plan (and IM readily available)?

Re:Two Factor Authentication == Phone Authenticati

[rjstanford]

Its because most people already have a mobile phone, and thus they can offer this for free. They already have email verification though the "I forgot my password" process, so that wouldn't be newsworthy. What's the alternative, sending everyone a SecureID card? Should every website make you carry a keyfob to use it?

Something fishy here

From the article:

Even interns like myself are tasked with big projects to help improve account security. Instead of working on mundane tasks and simple problems, interns are given high-impact assignments that reach out to hundreds of millions users every time they use Facebook.

They tasked an INTERN with security?!?

Brilliant move to further ruin your privacy..

[cheros]

The covert threat is: you either submit your mobile phone number or we will not protect you anymore.

I keep the details I hand to FB to an absolute minimum, and my phone numebr is certainly not going to be added. The problem I see is that I have no way to disable SMS spam, so once FB decided to resell data again I might as well get a new number (with all the associated costs).

It would be smarter if they finally implemented OpenID support, because you can then simply choose the service that you deem safest. But hey, that would not supply even more private data, would it?

Nice try FB, but ab-so-lu-te-ly no way. I wonder how many idiots will fall for this..

Re:Brilliant move to further ruin your privacy..

I have had my mobile number on facebook, listed as friends only, since I joined, around 8 years ago. I have never received and unwanted text or phone call because of it.

I'd Rather Google

[dmexs]

I'd rather they allow authentication via google ID, so I can use google's more versatile two-factor auth.

Phone number harvesting

Great way to encourage people to link their phone numbers with their accounts.

FFS

[t-twisted]

facebook.com still points to http://www.facebook.com/ by default, I'll wait for the headline when THAT changes.

Re:Two Factor Authentication == Phone Authenticati

And years ago have you ever noticed how "Two Factor Authentication" ALWAYS meant "token generator keyfob"? What's your point?

Re:Two Factor Authentication == Phone Authenticati

[Richy_T]

If openid were adopted more widely, you'd only need the one keyfob (or not at all depending on your provider)

Though as it looks like facebook is likely to fill the niche that openid was intended for if things continue as they are, if facebook did this, that may be sufficient.

Re:Two Factor Authentication == Phone Authenticati

Not always. http://tiqr.org/ sounds interesting (droid and iDevice only atm)

Is this scenario 2 factor authentication?

At work, we have a server that has sensitive information on it and is only accessible to 2 people. The only service it runs is ssh. The server can be accessed from the outside, but it only whitelists a few ip address, and every other ip address is denied. Only a few people are given access to the server, and password authentication is not allowed, but rather they must use public key authenication. The 2 system admins keep the private keys themselves, and private keys are protected with a strong password. Is this 2-factor authenication, because it's something you have (private-key), and something you are (a certain ip address)? Isn't it technically 3-factor authenication because you also have to have a password to unlock the private key (something you know) ?

AdBlock Plus

[_0xd0ad]

||facebook.com^$third-party,domain=~fbcdn.net,domain=~facebook.com
||facebook.net^$third-party,domain=~facebook.com,domain=~fbcdn.net
||fbcdn.net^$third-party,domain=~facebook.com,domain=~facebook.net

weeding out duplicates

It's easy to get different email addresses, but difficult to get multiple phone numbers. Maybe this is to address advertisers concerns that their user base isn't as big as they claim.

Interns?

Even interns like myself are tasked with big projects to help improve account security. Instead of working on mundane tasks and simple problems, interns are given high-impact assignments that reach out to hundreds of millions users every time they use Facebook.

No offence, but I don't like the idea of Facebook interns working on security features when the core developers themselves can't seem to do it right.

Screw Failbook

[kheldan]

They can go to hell. I don't want them having my phone number. Fail, fail, fail.

Getting around "do not call", Just like Google

They requested my phone number for YouTube. The only thing I cared about on it was my favorites list, which wasn't that big and I was able to download it with some careful copy-paste in the browser.

I haven't logged into my YouTube account since then.

Giving them a phone number probably creates an "existing business relationship", which allows them to telemarket you.

Re:Two Factor Authentication == Phone Authenticati

[Requiem18th]

Anonymous delivers!

2FA

It’s great that Facebook is strengthening security by using two-factor authentication. People share so much personal information on Facebook that relying on a single layer of password protection is simply not enough. However, sending a code by SMS text message is not very secure because they are sent in clear text. If the user were to lose their phone or have it stolen, anybody could read that text message and fraudulently authenticate.

More websites need to use two-factor authentication like Facebook is doing, but a more secure and easier-to-use approach is to send an image-based authentication challenge to the user’s phone, like Confident Technologies provides: http://bit.ly/dMNzB5. A grid of pictures is displayed on the user’s smartphone and to authenticate, the user must correctly identify the pictures that fit their pre-chosen, secret categories. Even if someone else had possession of your phone, they wouldn’t be able to authenticate because they wouldn’t know your secret picture categories.