Slashdot Mirror

← Back to Stories (view on slashdot.org)

Facebook's New Tool Looks To Replace Traditional Two-Factor Authentication (thenextweb.com)

Posted by msmash on from the passwords-as-never-before dept.

Facebook today unveiled a new feature to let its 1.79 billion users reset passwords for other websites using its platform, an effort to further entrench the social network in people's digital lives. From a report: Delegated Recovery, as it's being called, looks to be a step forward for those afraid of losing their devices when using two-factor authentication (2FA) -- which, should be most of us. The security feature addresses the common concern of losing the device tied to your account. With Delegated Recovery, Facebook lets users set up an encrypted recovery token for sites like GitHub, and stores it at Facebook. If you lose the login information for GitHub, you'd simply log in to Facebook and send the stored token to the site to prove your identity and regain access. The token is encrypted, and Facebook can't access the information stored on it. Facebook also promises not to share it with third-party websites (aside from those you authorize).

75 comments

  1. Wont Share by Anonymous Coward · · Score: 3, Insightful

    Fakebook wont share it unless the gov makes them.

    1. Re:Wont Share by Anonymous Coward · · Score: 0

      Fakebook wont share it unless the gov makes them.

      Yea .....

    2. Re:Wont Share by Anonymous Coward · · Score: 0

      Fakebook wont share unless they can make a buck off of it.

      There, fixed it for you.

  2. Promises? by Anonymous Coward · · Score: 0

    Because their word is known as truth.

  3. I'm looking to reduce Facebook in my life by QuietLagoon · · Score: 5, Insightful

    Not increase it. There is NO WAY I'd link Facebook in with any security process I have or use. NO WAY .

    1. Re:I'm looking to reduce Facebook in my life by Anonymous Coward · · Score: 0

      Me too. At this point, I just need the messenger to communicate with a few chicks (but I need to cut out that anyway).

      Having 0 social media ties when asked for the passwords by job interviewers or border guards. But I'm keeping my slashdot Anonymous Coward account active ;)

    2. Re:I'm looking to reduce Facebook in my life by FrankHaynes · · Score: 1

      *NO F@CKING WAY!!!

      --
      slashdot: A failed experiment.
    3. Re:I'm looking to reduce Facebook in my life by ctilsie242 · · Score: 1

      Why would I have an intrusive social media platform be the gatekeeper for my recovery stuff? Too many eggs in one basket, and FB is many things, but they really don't have independent certification as a security provider.

      My recovery tools for 2FA stuff is a printout of Google Authenticator codes stashed in my floor safe, and my iPod Touch.

    4. Re:I'm looking to reduce Facebook in my life by thegarbz · · Score: 1

      And yet Facebook knows more about you than any other service making it possibly the best repository of information you know that you could use to definitively identify who you are.

      In the mean time everyone I know knows my cat's name, so there goes my banking security.

    5. Re:I'm looking to reduce Facebook in my life by Anonymous Coward · · Score: 0

      I have... well, _had_... two facebook accounts: one for my normal, everyday life, and one that was more oriented towards my sexual preferences. Those are not extremely far outside the mainstream (I enjoy seeing women in tight clothing, like swimsuits - they aren't even naked), but it sure offended some people. At no point did I ever approach anyone from outside that community, and I never posted any explicit content. Well, to make a long story short: at some point I was challenged whether the account was using my real name or not. I was pestered again and again to provide a phone number (which I refused), and eventually the account was simply blocked until I provided an official document with my name on it. I provided that document. They then demanded to see the document, in a photo with me holding it (WTF?). I haven't provided that yet, and I'm not going to either - no doubt the next step will be to tell me I violated the terms of service and thus lose access anyway. Besides, it's an inexcusable violation of my privacy already.

      I already feel like I lost a part of my life, chatting with like-minded people all over the world. Yes, some of it was explicit in nature. It's called "being human", and in this day and age of LGTBQTBBQ people I really don't feel like I should be apologising for a pretty harmless sexual deviation. Now imagine I would have used that account to also give me access to other places: those would also all be lost to me now.

      Ok, so I'm some weird freak, you're probably thinking. Just do a search for people losing their FB account for no good reason whatsoever - it can basically be _anything_, and in lots of cases it isn't even clear what. People simply lose their account, and FB will not tell them why or how they can get it back. That includes accounts of small businesses, btw, who also stand to lose a lot of money this way. FB is already too powerful, and not accountable enough as is, and adding to its power by using it as a sign-in service for other websites (when there is precisely zero guarantee that you will retain your FB account no matter what) is utterly, completely unacceptable.

    6. Re: I'm looking to reduce Facebook in my life by Anonymous Coward · · Score: 0

      Maga is a strong and beautiful name for a cat.

    7. Re: I'm looking to reduce Facebook in my life by Anonymous Coward · · Score: 0

      Try to keep yourself from grabbing at it, would you?

    8. Re:I'm looking to reduce Facebook in my life by houghi · · Score: 1

      I have reduced it to 0 and have added the domains I have found to my host file pointing to 0.0.0.0
      That way I can not even go there by accident.

      I have used Facebook for about 3 months and not even with my real name and I had 100 "friends" who almost all blindly accepted me. And suddenly I realiwed that if I wanted to know what you did for lunch, I would call you.

      And the people who say that they keep contact with others and Facebook is the only way. If those people can't even be bothered to reply to an email or an SMS, I think they are not really interested in me.

      It felt like when you meet people in the street and say "we should meet sometime" with the difference that they actualy take up contact instead of saying the next time 'we really should meet sometime'.

      --
      Don't fight for your country, if your country does not fight for you.
    9. Re: I'm looking to reduce Facebook in my life by Anonymous Coward · · Score: 0

      I do the same thing, and been lucky enough to avoid the same fate. Facebook's obsession with "authenticity" only seems to apply to customers, not Facebook itself. Otherwise, we would have tools for managing aliases and segmenting our lives, or they wouldn't crack down so hard on duplicate profiles. A LOT of people authentically want to separate different parts of their lives.

  4. A Facebook promise? by QuietLagoon · · Score: 5, Interesting

    ...Facebook also promises not to share it with third-party websites...

    That sounds like a marketing interpretation of a privacy policy that probably is as leaky as a sieve.

    1. Re:A Facebook promise? by cdrudge · · Score: 4, Interesting

      Well technically 3rd party companies aren't third party websites although they may operate websites. And of course government agencies aren't websites either...

    2. Re:A Facebook promise? by Anonymous Coward · · Score: 1

      Oh come on. That's not fair. A sieve at least partial obstructs a flow.

    3. Re:A Facebook promise? by Anonymous Coward · · Score: 0

      They said they wouldn't share it... not that they wouldn't sell it :)

  5. Same as trusting Facebook with all your passwords by Anonymous Coward · · Score: 0

    Helping to reduce security, one password at a time.

  6. what's the catch by Anonymous Coward · · Score: 1

    Really? Facebook is just providing this service with no upside to themselves? I'm not buying it.

    1. Re:what's the catch by PCM2 · · Score: 1

      Eh, the catch is that you need to have an active Facebook account. That's obvious, right? No need to go looking for some devious motive when the upside is staring you right in the face.

      --
      Breakfast served all day!
  7. They delete and lock accounts too often by daninaustin · · Score: 2

    It's too easy to get you facebook account deleted or locked out for it to be useful for this.

  8. Too big for their britches by Anonymous Coward · · Score: 2, Interesting

    Facebook is getting into aspects which a social networking service has little business being involved in. A while back somehow a family members account became locked, to get it back up and running they were requiring photo ID. Its social contact website not a bank account.

  9. I call BS. by fishscene · · Score: 1

    "Facebook also promises not to share it with third-party websites (aside from those you authorize)." What this will turn out to mean is that you can't get access to the features and anything useful on 3rd party websites unless you authorize them access to your account.

    1. Re: I call BS. by Anonymous Coward · · Score: 0

      Or there'll be an update where they switch over to opt-out. Because that has worked so well for them before.

  10. "Facebook's Parse Is Shutting Down Today" by swb · · Score: 1

    I mean it was the exact next story after this one on the front page. And I'm supposed to *rely* on this service to gain access to lost 2FA tokens somehow?

    And since when do I trust Facebook with anything? I hardly trust them to keep the privacy settings where I put them.

  11. Defeats the purpose by Anonymous Coward · · Score: 0

    Because having an "oh shit" lever you can pull in one, central location, to unlock all your accounts, totally doesn't fly in the face of everything you're trying to accomplish with 2FA.

  12. "Facebook promises" by vvaduva · · Score: 3, Interesting

    Facebook also promises not to share it with third-party websites (aside from those you authorize)

    lolz. I am sure the NSA will love this shit.

    1. Re:"Facebook promises" by bob4u2c · · Score: 1

      I thought Facebook was funded by the NSA, did Facebook loose their funding?

    2. Re:"Facebook promises" by Anonymous Coward · · Score: 0

      > Facebook *pinky promises* not to share it with third-party websites (aside from those you authorize)

      FTFY.

  13. SMS? by rwven · · Score: 1

    The best way to avoid this problem is to use SMS for 2 factor authentication. Almost all common services support it, and if you lose your phone, a new phone will work just as well.

    1. Re:SMS? by Anonymous Coward · · Score: 0

      SMS is crap for security.

      Ive been on holiday a few times where its comes up "we dont recognise this device. An SMS was sent to your phone for authenitcation" etc .
      Great except the country im in doesnt support the telecom bands and I wont be able to pick up SMS until I return. .. In the mean time Im locked out, no way in.

    2. Re:SMS? by FrankHaynes · · Score: 1

      SMS is almost as insecure as Facebook itself.

      --
      slashdot: A failed experiment.
    3. Re:SMS? by rwven · · Score: 1

      If it's so terrible it certainly hasn't assuaged Google, Github, and a huge number of other big services from using it. Many of they are still ADDING support for it. If you're afraid of the government pretty much nothing is going to stop them. If you're just looking for general "good security," SMS will work fine.

    4. Re:SMS? by tlhIngan · · Score: 2

      If it's so terrible it certainly hasn't assuaged Google, Github, and a huge number of other big services from using it. Many of they are still ADDING support for it. If you're afraid of the government pretty much nothing is going to stop them. If you're just looking for general "good security," SMS will work fine.

      The problem with SMS is well, you're assuming a person has a phone which has a phone number.

      NIST wrote guidelines against it because a "phone has a phone number" is no longer accurate. A phone number may not refer to *A* phone, but maybe multiple phones. Or hijacked along the way (including the phone itself).

      Google's switched to the Google Authenticator app, so while they can use SMS, it's a legacy thing.

      Anyhow, this isn't true two factor authentication. You're really just using another password to log in - either use your site login, or log into facebook to change it if you forget it. There is no second factor in play (what you know, what you are, what you have). You either know the site password, or your facebook password.

      This is more along the lines of Wish it Was Two Factor.

    5. Re:SMS? by Anonymous Coward · · Score: 0

      Google's Authenticator seems to be a "legacy thing" now too, have fun with it when you get another phone and have no way to move Authenticator.

  14. What's the advantage? by willoughby · · Score: 1

    Why would I trust Facebook with this instead of just buying a YubiKey? Is there somewhere the YubiKey won't work and this would?

    1. Re:What's the advantage? by kqs · · Score: 1

      It sounds like this doesn't replace TFA, it complements it. It is an attempted solution for "what do you do when you lose/damage your yubikey?"

      We can argue about whether or not this is a good solution (my guess is that it is fine for most people, but not for security professionals), but there is no doubt that it is trying to solve a real problem (just not the one in the headline).

    2. Re:What's the advantage? by unixisc · · Score: 1

      I have LastPass, which I access from 3 of my devices. Why would that be inadequate?

    3. Re:What's the advantage? by kqs · · Score: 1

      Why would Lastpass be inadequate? Lastpass is also a fine solution, as long as you store a manual replacement for your TFA there in a secure note. Its more complex than Facebook's system, but does far more.

      Anything which make TFA easier is a good thing. Facebook is solving one TFA problem. U2F solves some different problems. Lastpass solves a slightly different set of problems. Bad security is easy, good security is hard and will get harder as long as criminals exist.

  15. Re:They delete and lock accounts too often by Anonymous Coward · · Score: 0

    Posted a picture of breastfeeding instead of someone being decapitated, eh?

  16. Honeypot by twebb72 · · Score: 1

    Does anyone else see this as a honeypot for <Insert your favorite state run organization here> to gain access to all your accounts?

  17. So it's by Anonymous Coward · · Score: 0

    ... simply log in to Facebook and send the stored token ...

    So it's a bit like a password manager stored in the cloud. What they're really trying to do is the Microsoft Password service of yesteryear where one uses a single password to log-in to everything. The internet has gotten a lot more dangerous since those days and everyone with half a clue knows password re-use is a poor practice.

    The most disturbing part of this is, it empowers Facebook to spy on what people do at other web-sites: If tracking netizens via 'Like' buttons was morally dubious, even though people opted-in to that tracking, providing this service and the abuse of monopolistic power it allows, should disgust all netizens.

  18. Delegated vs Federated logins by CaptainStumpy · · Score: 1

    Relevant 60 second read: http://sites.psu.edu/ntsh/2010...

    --
    It will be better to purchase from an owner who is a good farmer and a good builder.
  19. Re:They delete and lock accounts too often by dgatwood · · Score: 3, Insightful

    Even ignoring that problem, at a glance, it seems like there are so many problems with that idea that I almost don't know where to begin. It assumes we trust Facebook to keep the token secure (we don't). It means that if somebody hacks your Facebook account, now they have access to all your accounts (yikes). And so on.

    A better solution is to add your home phone and office phone as alternate second factors.

    --

    Check out my sci-fi/humor trilogy at PatriotsBooks.

  20. Since when did Facebook become the defacto SSO??? by Anonymous Coward · · Score: 0

    #NotMySSO

  21. Nothing will replace your sanity by Doloresanto · · Score: 1

    And nothing is better than not even being on Facebook. Avoid it at all costs if you can.

  22. April 1st only 61 days away by WaffleMonster · · Score: 1

    If only they had waited two months more before posting TFA it would have been worth reading.

  23. Re:They delete and lock accounts too often by networkBoy · · Score: 1

    Or a U2F key in a secure location (like a safe deposit box).

    --
    whois gawk date unzip strip find touch finger mount join nice man top fsck grep eject more yes exit umount sleep dump
  24. New tool by Anonymous Coward · · Score: 0

    Better than the old tool, the jewbastard shyster Zuckerberg.

  25. Re:They delete and lock accounts too often by FrankHaynes · · Score: 1

    It means that if somebody hacks your Facebook account, now they have access to all your accounts (yikes)

    For similar reasons, I'm still not sold on the idea of cloud-based password managers. That seems like a problem just waiting to happen.

    --
    slashdot: A failed experiment.
  26. What could possibly go wrong? by JonnyCalcutta · · Score: 1

    Do I even need to bother with a list?

  27. Why is it a concern? by 140Mandak262Jamuna · · Score: 1
    I have 2FA key fob from Schwab and Vanguard for my account with decent balance. If I lose it, I need to call the 800 number and go through some verification and then a new key fob will arrive by mail, or so they promise me. I might not be able trade during part of that period but otherwise why would one eschew 2FA itself for the fear of losing the key fob.

    My concern was not losing it, but how to make it work with Quicken.

    --
    sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
  28. Already Apps by Anonymous Coward · · Score: 0

    Already apps that allow you to encrpyt your secrets that generate tokens. Authy is an example. Not paid in any way to plug it just really practical.

  29. Re:They delete and lock accounts too often by thegarbz · · Score: 0

    It's too easy to get you facebook account deleted or locked out for it to be useful for this.

    But is it really? I mean the only people I know of who get their account deleted or locked out are trolls, SJWs, activists, and people who just plain shit on their terms of service for shits and giggles.

  30. Wrong by campuscodi · · Score: 1

    2FA is used for logging in. Delagated Recovery is used for account recovery. How can one replace the other?

    1. Re:Wrong by uCallHimDrJ0NES · · Score: 1

      Just what I was wondering.

      --
      Cloudiot: A person who does not see offsite storage as a way to lose control over access to his or her own data.
  31. Pick two by Anonymous Coward · · Score: 0

    Portable, Convenient, Private. Pick two.

  32. Devil's Advocate by Anonymous Coward · · Score: 0

    Just to play the part of the Devil's Advocate (possibly more literally true than frequently the case):
    1) Systems are already using Facebook for authentication and authorization. Thus far they have been using unofficial work-arounds by playing with messaging and other credentials. Providing an official way is more secure, better tracked and audited, and easier to standardize.
    2) Is this really substantially less secure than using your phone number and smartphone for 2 factor authentication. Assuming it is (and I'll admit that it probably is) is it THAT much less secure in practice?

  33. LMAO by Anonymous Coward · · Score: 0

    The token is encrypted, and Facebook can't access the information stored on it. Facebook also promises not to share it with third-party websites (aside from those you authorize).

    Can anyone name ONE privacy related promise that Facebook has kept?

  34. Re:They delete and lock accounts too often by nasch · · Score: 1

    For similar reasons, I'm still not sold on the idea of cloud-based password managers. That seems like a problem just waiting to happen.

    If you have a highly secure password/passphrase, which you really should, what's the risk? Unless the encryption is not as good as I've been led to believe, it's not hard to make a password that would take hundreds to thousands of years to crack with current technology. Change your master password every ten or twenty years and you should be OK even if someone gets hold of your encrypted password storage.

  35. Encrypted token by manu0601 · · Score: 1

    The token is encrypted, says Facebook. But how does one decipher it in order to use it? By sending a passphrase to Facebook? Better not forget it.

    Or perhaps they mean it is an opaque reference but it can be used as is. A kind of cookie, if you prefer.

  36. Re:They delete and lock accounts too often by knorthern+knight · · Score: 1

    >> It's too easy to get you facebook account deleted or locked out for it to be useful for this.

    > But is it really? I mean the only people I know of who get their account deleted or locked out are
    > trolls, SJWs, activists, and people who just plain shit on their terms of service for shits and giggles.

    Blame the victim, why don't you. Read this horror story... https://thenextweb.com/faceboo...

    Guy mysteriously gets his account disabled and is forbidden from creating a new one. This is straight out of Kafka...

    > According to the company's responses, Facebook's decision is final. There's
    > no way I can get back on the service and there's no way I can get my data
    > back and there's no way I can know why I've become ineligible for an account.

    Imagine you had all your calendar, contact, and password info on Facebook, and woke up one day to find out that you were locked out, with no access to that info. There are almost 1.8 billion users vulnerable to that scenario, of being locked out of Facebook at Zuckerberg's whim...

    I don't know why they "trust him"... dumb fucks. http://www.theregister.co.uk/2...

    --

    I'm not repeating myself
    I'm an X window user; I'm an ex-Windows user
  37. Re: by Anonymous Coward · · Score: 0

    True, if we are talking about computer security. Got to be careful at conferences and in public to avoid lawsuits due to the word's double meaning.

  38. Wow, a Facebook-branded password manager! by Anonymous Coward · · Score: 0

    Where do I sign up? No, wait...

  39. How about "no?" by Anonymous Coward · · Score: 0

    Facebook

  40. I'm sorry, what's hard? by holophrastic · · Score: 1

    I guess I just don't get it. I have a password. It's a password. Is it somehow difficult to remember my password? So difficult that I need Facebook to store something for me?

    Riddle me this: what's wrong with the sticky note on my desk? Or the piece of paper in my drawer? Or the notepad in my safe-deposit box?

    Is this for people who have zero experience being responsible for anything? Can't store your own shit, need someone else to store it for you?

    Sounds like this is absolutely nothing more than two passwords -- the one that I use every day remains the same, and then there's this alternate, much bigger one, that we'll call a "token" that's stored by facebook. Why can't I write down this very long token, and store it in my basement for ten years?

    Why is life so hard for so many people?

    This is also a principle thing. Forget privacy and governments and sharing. The best technology for the job of remembering a password isn't yet another provider. This is a backup-password, it's redundant anyway. Write it down, put it into a box, and leave it the hell alone next to your great grandfather's watch and your marriage licence and your incorporation documents and your mortgage agreement, and your insurance policy, and the warranty for your dishwasher and the certificate of authenticity for your bronze anubis statue.

    Wanna-be-really-clever? Write it onto a card and stick it behind one of the dozen pictures you have hanging on your walls.

  41. Re:They delete and lock accounts too often by FrankHaynes · · Score: 1

    I am suspicious of the notion that "The Cloud" is automatically superior in every way. I've seen the arguments that cloud services typically have high availability, are managed by smart teams, are accessible from everywhere. But the people saying this are likely IT pros doing the grunt work.

    I don't trust the company itself not to get sold and change the terms of service, go POOF!, or turn back every single cracking attempt (the bad guys only need to succeed ONCE). If I host my own password manager it is entirely up to me and I present a much smaller attack surface compared to a centralized repository sitting on the open internet.

    --
    slashdot: A failed experiment.
  42. Re:They delete and lock accounts too often by nasch · · Score: 1

    I suppose it depends on the cloud service. You can never be certain it's going to remain available forever; as you say companies and services come and go. I think you can tell from reviews whether the quality of a service is good. And services that work like LastPass (which is the one I'm familiar with) don't require access all the time anyway. There's a copy of the vault on whatever device you installed it on, and it just uses that, and the cloud is for synchronization. What happens if their service goes away entirely I'm not sure.

    If I host my own password manager it is entirely up to me and I present a much smaller attack surface compared to a centralized repository sitting on the open internet.

    That is true, but you're also substituting your own equipment, services, and skills instead of the provider's. A well respected service is likely to do a better job with both protection and availability for anyone other than experienced computer security professionals. I'm not one of those so I leave it to the pros, but maybe you are.

  43. Re:They delete and lock accounts too often by Anonymous Coward · · Score: 0

    Most smartphones do not require a password for Facebook after the first login. So if you lost your phone, you effectively lost all f your accounts protected by Delegated Recovery. This may be somewhat mitigated if the phone was locked and properly encrypted with a short timeout on the screen lock.

  44. Government will steal your login via FISA courts by Anonymous Coward · · Score: 0

    This is a BAD idea. The government will use secret FISA court orders to force Facebook to hand over your tokens, enabling the government to log into your non-Facebook accounts.

    Nice try, Facebook.