If you’re worried about hackers taking over your Facebook account, you’ll be heartened to hear that as of this week, Facebook has added support for USB key two-factor authentication to improve account security.
Two-factor authentication (called “2FA” by cybersecurity nerds) requires an extra token in addition to your password to prove your identity when logging into online services. This prevents someone with your password to access your account. Previously, Facebook supported SMS and app-based 2FA, which prompt you to type in a number sent to your phone.
Physical 2FA replaces numbers with a USB key you plug into your PC or Mac. In addition to providing a more user-friendly experience, USB keys are also more secure than mobile apps and SMS because they’re immune to phishing and man-in-the-middle attacks, two common kinds of attacks used by hackers.
Other services such as Dropbox, Google, GitHub, and Salesforce have been supporting USB keys for years. If you’ve been using a YubiKey or any other stick employing the U2F standard to secure those accounts, you can use the same key for your Facebook account. If you’re reading this, however, you’re probably just getting started in 2FA. Here’s what you need to know.
How to enable USB key authentication on Facebook
Here are the steps to enable USB key authentication on your Facebook account:
1) Go to the Security settings page and expand the Logins Approval section.
2) In the Security Keys section, click the Add Key link and the Add Key button in the dialog that appears.
3) When the prompt appears, plug in your USB key and tap its button when its light starts blinking.
Once your key has been added, you’ll be prompted to re-enter your password to confirm the addition and to select a name to represent the physical key.
5) When the process is completed, your newly added key will be visible under the Security Keys section.
If you’re not used to physical authentication keys, here are a few good practices:
Have backups keys: Just like everything else that fits in your pocket, keys can get lost (or possibly stolen). Therefore, you should have backup keys. Facebook’s security settings allow you to add multiple keys and to remove lost or broken ones.
Have backup methods: For the moment, only the Facebook desktop website supports USB authentication, and the mobile website supports NFC-based keys such as the YubiKey Neo. Facebook’s mobile apps do not support physical keys yet. Therefore, you should still keep your app or SMS authentication enabled as a backup method.
Facebook’s USB authentication is not mandatory, but it is a welcomed move, as cybercriminals are targeting social media platforms at an accelerating pace. Hopefully, other social media services will follow suit and enable privacy-conscious users to breathe a sigh of relief.