Two-Factor Authentication and Facebook

Several months back, we covered Google’s new and much-welcomed two-factor authentication process.  As mentioned before, enabling true two-factor authentication greatly enhances an application’s security profile, a crucial step for applications as important and ubiquitous as Gmail and Google Docs.  So after being painted with a giant bull’s eye last year following Firesheep‘s debut demonstration, Facebook has followed Google’s lead and added several new security features, including two-factor authentication.

All of Facebook’s new security options have been conveniently grouped together under “Account Settings”.  There are several check boxes here, as well as a list of devices that have recently logged into Facebook with your account.

First, be sure to enable secure browsing via https connection, so as to prevent sidejacking, à la Firesheep.

The next few settings affect what actions Facebook takes when a new device attempts to log in with your account.  You can be notified when this happens via email or SMS, but more importantly, you can have Facebook require two-factor authentication by having a verification code sent to your phone.

Below that, Facebook lists the devices you’ve already approved for this account and also the last few devices that have logged in with your account.  You have the option of signing out of these devices.

These security settings are definitely a step in the right direction for Facebook, but they are still not as robust as Google’s two-factor authentication.  Unlike Google, once a device has cleared the two-factor authentication and becomes a recognized device, Facebook no longer requires a code from your phone when you attempt to log in later.  This choice was likely made for convenience, but it does mean that the second factor is nullified if someone has access to your recognized devices.  Of course, you can avoid this issue by clearing all your cookies between sessions or always opening Facebook in incognito/private browsing mode.

Also unlike Google, Facebook does not yet have a smartphone authenticator application.  This means that you will have to rely solely on SMS for the verification code if you choose to enable two-factor authentication.  If you travel beyond local cell coverage (or do not have an SMS plan outside the country), you may not be able to receive the code and log in on a new device.  Because the Google Authenticator app does not require an Internet connection, it provides a simpler and unconstrained alternative to SMS verification.

However, overall, Facebook is making admirable moves to enhance its users’ account security, and two-factor authentication ought to be adopted by many more high-traffic sites (we’re looking at you, Twitter).