Facebook users are now able to use physical USB keys to authenticate their identities when logging in. The feature, announced Thursday, represents the addition of another option for Facebook users to configure two-factor authentication approval.
Traditionally, if a Facebook user were to log in to an account from an unrecognized device or browser, two-factor authentication would prompt a request for a special security code that is delivered via an SMS-based text message or authentication application. With Thursday’s news, Facebook users will now also have the option of relying on hardware to authenticate themselves.
Cybersecurity experts commonly describe two-factor authentication, or 2FA, as a necessary baseline security measure.
The security key feature is currently only compatible with the latest versions of Google Chrome and the Opera web browser. Both browsers support the open Universal 2nd Factor, or U2F, standard that is hosted by the FIDO Alliance.
“Most people get their security code for login approvals from a text message or by using the Facebook app to generate the code directly on their phone. These options work pretty well for most people and in most circumstances, but SMS isn’t always reliable and having a phone back-up available may not work well for everyone,” Facebook security engineer Brad Hill wrote in a company blog post Thursday. “Using security keys for two-factor authentication provides a number of important benefits.”
Using a physical key for 2FA helps thwart email phishing-style attacks. Because security keys are unique to the user, some rely on a fingerprint, and all employ a randomly generated password during each login process, the information obtained during the course of a phishing attack or other surveillance operation would be rendered useless.
USB security keys are developed and sold by a number of technology companies, including Swedish-American security firm Yubico. CyberScoop previously reported that Yubico had enjoyed a spike in orders from the U.S. federal market in 2016.
Security keys that support U2F — the FIDO standard — also function for 2FA login requirements of Google, Dropbox, GitHub and Salesforce, among other popular web-based services.