Facebook recently introduced a two-factor authentication service called Security Key. How does Facebook Security...
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
Key work, and should organizations encourage employees to use it to prevent their accounts -- and, potentially, their enterprise devices -- from being hijacked?
Facebook recently introduced the ability to use what they call a Facebook Security Key as a second factor of authentication to its site. In order to use this feature within Facebook, the user needs to own a universal second factor, or U2F, device to enable login approvals through the security section of their profile.
The universal second factor standard was created by Google and Yubico, and uses the FIDO protocol with standard public key cryptography to provide a secure second form of authentication.
A universal second factor-compliant key is registered with a service, like Facebook, by approving it during the registration process. This is done by pressing the button on the universal second factor device when prompted, which starts the process of creating the second factor. This approval creates a key pair, in which the public key is sent to the online service and linked to the particular user's account. The private key is kept locally on the universal second factor device, and is never sent to the provider. This registration process creates the key pair for the second factor of authentication that is used each time during login going forward.
When a user with a universal second factor registered device attempts to log in to the site with which they've enabled U2F multifactor authentication, a few things happen. The application will send a login challenge after the user has logged in correctly with their username/password. This challenge will be sent back to the browser. A response is then sent only after the user pushes the button on the universal second factor device. Hitting the button on the device unlocks the universal second factor device, also known as the FIDO authenticator, and selects the proper key it used during registration to send a signed response back to the challenge it was sent to authenticate against. Once this signed response makes it back to the service, the site is able to validate the user with the public key it was given during registration. At this point, the user is fully authenticated and able to access the service.
Two-factor authentication is highly recommended to protect account data. It's becoming a standard practice now, and many regulatory compliance initiatives force this approach to protect user accounts.
The universal second factor framework takes the multifactor authentication approach slightly differently. Instead of using a phone or a token that's being authenticated against another service integrated into an application, universal second factor works directly with the application in question, without a middle man. The aim is to have the authentication take place without relying on a third party to authenticate a user, when it can all be done locally and directly with the service itself.
Universal second factor authentication is an interesting approach, and many large sites -- such as Dropbox, Facebook, Google and Salesforce -- are currently accepting it as a second factor. As more applications continue to adopt U2F and FIDO as standards, it's a good idea to use them to secure personal user accounts from being hijacked.
Ask the expert:
Want to ask Matt Pascucci a question about security? Submit your question now via email. (All questions are anonymous.)
Check out this guide to buying the right multifactor authentication products
Find out what enterprises need to know about the FIDO authentication framework
Learn whether two-factor authentication or multifactor authentication is the better method
Dig Deeper on Two-factor and multifactor authentication strategies
Related Q&A from Matthew Pascucci
Google Cloud KMS is a new encryption key management service available for Google customers. Expert Matthew Pascucci discusses how this service works ...continue reading
Flaws in AirWatch Agent and AirWatch Inbox allowed rooted devices to bypass the software's security measures. Expert Matthew Pascucci explains how ...continue reading
US-CERT encouraged users to use newer versions of Windows SMB, since version one is out of date. Expert Matthew Pascucci explains how to tell if SMB ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.