Updates: How to Boost your Facebook Sign-In Security
28th September, 2018 | Cyberprivacy | Entropic
Latest Updates
1) Facebook has announced another major data breach of almost 50 million user accounts. Hackers have exploited a vulnerability in the "View As" feature of Facebook that allows users to see what their profile looks like to other people.
2) Emerging research by Northeastern, and Princeton University working with Gizmodo has revealed that Facebook is now using your phone number that you entrust to them when setting up SMS-based two-factor authentication (2FA) for other purposes, aside from enhancing the security of your account. Specifically, they are using it to improve the granularity of their advertising services, including enhancing the ability for advertisers to target you more directly.
This adds to the list of reasons not to use this ailing type of 2FA to secure your account. 2FA is still a crucial part of securing your account, however there are better types of 2FA offered by Facebook - such as authenticator app-based 2FA. All forms of protection come with their own caveats, as illustrated in the updated Facebook 2FA options shown further in this article.
3) Instagram, a subsidiary of Facebook is rolling out support for authenticator-app based 2FA, which will allow their users to move beyond SMS-based 2FA.
It was May 2011 when Facebook first established its SMS-based Two-Factor Authentication system, which they originally named "Login Approvals".
Since then, due to widespread security issues with SMS-based two-factor authentication, they have been pressured into providing additional options to help enhance sign-in security for their users. This includes introducing their own authenticator feature into the Facebook App, called Code Generator, the ability to use security keys on Android smartphones, and finally in May of this year, announcing support for third-party authenticator apps, such as Google Authenticator, Authy, Duo Mobile, LastPass, or Yubico Authenticator.
Two-Factor Authentication (2FA) can significantly boost the security of your Facebook account by requiring a second piece of information, or action before allowing you to sign in. It should be noted that this feature does not eliminate the need to maintain your password. This is something that you'll need to continue to regularly change, record, and remember.
Implementing a convenient, yet secure method of two-factor authentication is a critical step to enhancing your security on Facebook. Unfortunately, the obsolete SMS-based sign-in security option is still being made available by Facebook to their users, despite already having more secure sign-in options. This means that their users will continue to adopt SMS sign-in security based on the assumption that this method of authentication is safe.
Instagram, a subsidiary of Facebook, appears to be improving sign-in security for their users based on a far more relaxed schedule. In 2016, they introduced an SMS-based 2FA system, and have yet to deliver better options to enhance sign-in security for their users. At the time of writing, the decision to enhance their security based on a schedule that is independent from Facebook, may now be starting to impact it's users in a significant way, raising questions about a potentially undiscovered security flaw in their infrastructure.
What are Your 2FA Options Currently?
You may have been coaxed into setting up one of Facebook's existing methods of 2FA, which is better than just using a password. However, since the method of 2FA you enabled may not be the most secure, it's good to know about all of the other options available, including their pros and cons.
Below we have listed, from best to worst (security, not convenience), the options that Facebook and Instagram provides as part of it's Two-Factor Authentication feature for increasing your account security. Please note also that the methods provided by Facebook/Instagram described below are subject to change over time, as they adapt their security.
You'll sign into Facebook with a username/password, and then use an additional physical security key that you either insert into your USB port, or place near your Near Field Communication (NFC) capable Android device.
AVAILABILITY: Facebook Only
SECURITY: Best Available
SETUP: Difficult
PROS
- Provides an additional layer of security, beyond using a simple username/password.
- Currently, the most secure option offered by Facebook.
- No need to type in a code to sign in, just plug into USB, or place near your NFC-enabled smartphone.
- Requires an attacker to physically have the security key in order to sign in.
CONS
- Not supported on Safari or Internet Explorer. Requires you to use Google Chrome, or Opera to setup and use the security key. You'll also need to install and use Google Chrome or Opera on all devices where you will use Facebook.
- Not supported on iPhones. Requires you to use an Android smartphone with NFC capability.
- Not supported by the Facebook mobile app on Android. To use a security key with a smartphone, you'll need to use Facebook from Google Chrome, along with Google Authenticator.
- USB-only security keys are less expensive, but will limit you to using devices that have a USB port. For example PCs and notebooks.
- USB+NFC security keys are more expensive, and will work with a broader range of devices. For example PCs, notebooks, and NFC capable Android smartphones and tablets.
- Losing or damaging your security key means you can no longer sign in.
- Can get expensive, since the normal recommendation is to buy multiple security keys ($15-$50 per key), in case you lose one.
- You'll need to watch where you store, and possibly forget about, your backup security keys.
You'll sign into Facebook with a username/password, and then enter an additional code that is generated by a special authenticator app on another device, such as your smartphone.
AVAILABILITY: Facebook Only
SECURITY: Moderate
SETUP: Inconvenient
PROS
- Provides an additional layer of security, beyond using a simple username/password.
CONS
- Needs additional setup, including the installation and setup of an Authenticator App, such as Google Authenticator, Authy, Duo Mobile, LastPass, or Yubico Authenticator.
- You'll need to type in an additional code every time you sign in.
- Vulnerable to phishing attacks, such as those instigated by Fake Security Apps.
- Passcode generation system can be bypassed/reverse engineered over time.
You'll sign into Facebook or Instagram with a username/password, and then enter an additional code that is sent to your smartphone via SMS text.
AVAILABILITY: Facebook and Instagram
SECURITY: Low
SETUP: Easy
PROS
- Provides an additional layer of security, beyond using a simple username/password.
- Provides the most user-friendly setup process out of all of Facebook's 2FA options.
CONS
- The phone number that you entrust to Facebook will be used for other commercial purposes, which includes improving the ability to target your account for advertising.
- Needs additional configuration.
- You'll need to type in an additional code every time you sign in.
- You'll need cellular coverage in the area where you are signing in.
- Vulnerable to phone SIM card hijacking.
- Vulnerable to phishing attacks.
- Vulnerable to phone hijacking/cloning and Trojan security Apps, including banking trojans.
You'll sign in to Facebook or Instagram with only a username and password.
AVAILABILITY: Facebook and Instagram
SECURITY: Worst Possible
SETUP: Easiest
PROS
- You only need to remember one password.
- No need for additional codes, apps and security keys.
CONS
- Requires only a single step to sign in, which in general simplifies several attack methodologies used by hackers.
- Vulnerable to brute force password attacks.
- Vulnerable to man-in-the-middle (MITM) attacks.
- Vulnerable to phishing attacks.
- Vulnerable if you are using the same, or similar usernames/passwords on other services that have been compromised.
How to Enable
Follow the Facebook or Instagram setup procedure to enable two-factor authentication.
Features to Avoid
For all types of two-factor authentication offered by Facebook/Instagram, there are convenience features that tend to break down the original vision of 2FA. So if possible, try to avoid depending on them too much, or at least be vigilant about how you use them.
Some examples are:
- The ability to take a picture of, download, or print backup codes that allow you to sign in from devices, in cases where you can't use 2FA.
Possible risks:
- After taking a picture of the codes with your smartphone, that picture might be synched to a cloud storage or backup service, meaning that it might become accessible to other people, or systems over time.
- After printing the codes, you might forget that your left a copy of these codes in you Downloads folder, or they might be lying around in your trash after you deleted them, or the printed codes might be intercepted in your baggage while you travel,...and so forth.
- Using any "Remember Browser" or "Remember this Computer" option, which defaults to ON. Possible Risk:
- If your device is stolen and the attacker has access to it, they'll be able to use this to access your information on Facebook or Instagram.
Regular Review
On a regular basis, you should regularly review the following on your Facebook account:
- Your password - update your password regularly using well established and updated password guidelines.
- The Where You're Logged In section in Facebook settings to see if there are any devices you don't recognize.
- The Authorized Logins to see which devices don't require 2FA. Ideally, all of your devices should have the maximum security available.
- Apps you may have unwittingly authorized to access your Facebook and Instagram accounts to prevent unwarranted access to your personal information. Issues with third-party apps accessing users personal information on Facebook and Google were highlighted earlier this year.
The Greater Problem
Despite the efforts of Facebook, and Instagram to secure their services, the single biggest vulnerability of their services is that they are centralizing the storage of their users information in one place.
This means that regardless of the blocking techniques used to stop entry into their fortresses, once access is gained, everything becomes available. This characteristic of Facebook and other consumer Internet services that centralize information, make it a very high value target for cybercriminals and nation states who will over time, unwaveringly continue to attempt to gain unauthorized access to the information of individuals and companies that is hosted in Facebook's data centers.
Panwrypter
Panwrypter is an App that is designed from the ground up specifically for decentralizing the storage of sensitive documents and files, protecting them from unauthorized access over time, including data breaches, cyber-theft, unauthorized physical access, or simply losing or forgetting about the existence of your files.
Being designed specifically for decentralized protection, Panwrypter is loaded with options that can help provide you with the best possible protection, while regarding your existing storage habits, which might include apps such as Google Drive.
Specifically, it can help you to define a decentralized approach to protecting your documents & files, based on your lifestyle, while helping you to continue to use your existing storage media and services - the ones that you are already comfortable with.
In addition, Panwrypter can help you recover your files in the event that one or more of your protected volumes is damaged, control where your files can be physically restored from, and help you to safely remember the details of your storage sites when you need to access your files at a later time.
Learn more about Panwrypter, or download it from the Mac App Store.
Conclusion
Facebook has recently opened up to crypto and decentralized technologies, having recently formed a blockchain research group. This is discussed in an article by David Hamilton, originally posted on CoinCentral.com.
If you have any feedback, questions, or suggestions, please let us know.
Acknowledgements:
Photo by Tom Grimbert on Unsplash