By continuing to use this site, you agree to our updated Privacy Policy and Terms of Use. ×





Updates: How to Boost your Facebook Sign-In Security

28th September, 2018 | Cyberprivacy | Entropic

Latest Updates

1) Facebook has announced another major data breach of almost 50 million user accounts. Hackers have exploited a vulnerability in the "View As" feature of Facebook that allows users to see what their profile looks like to other people.

2) Emerging research by Northeastern, and Princeton University working with Gizmodo has revealed that Facebook is now using your phone number that you entrust to them when setting up SMS-based two-factor authentication (2FA) for other purposes, aside from enhancing the security of your account. Specifically, they are using it to improve the granularity of their advertising services, including enhancing the ability for advertisers to target you more directly.

This adds to the list of reasons not to use this ailing type of 2FA to secure your account. 2FA is still a crucial part of securing your account, however there are better types of 2FA offered by Facebook - such as authenticator app-based 2FA. All forms of protection come with their own caveats, as illustrated in the updated Facebook 2FA options shown further in this article.

3) Instagram, a subsidiary of Facebook is rolling out support for authenticator-app based 2FA, which will allow their users to move beyond SMS-based 2FA.

Photo by Tom Grimbert on Unsplash

It was May 2011 when Facebook first established its SMS-based Two-Factor Authentication system, which they originally named "Login Approvals".

Since then, due to widespread security issues with SMS-based two-factor authentication, they have been pressured into providing additional options to help enhance sign-in security for their users. This includes introducing their own authenticator feature into the Facebook App, called Code Generator, the ability to use security keys on Android smartphones, and finally in May of this year, announcing support for third-party authenticator apps, such as Google Authenticator, Authy, Duo Mobile, LastPass, or Yubico Authenticator.

Two-Factor Authentication (2FA) can significantly boost the security of your Facebook account by requiring a second piece of information, or action before allowing you to sign in. It should be noted that this feature does not eliminate the need to maintain your password. This is something that you'll need to continue to regularly change, record, and remember.

Implementing a convenient, yet secure method of two-factor authentication is a critical step to enhancing your security on Facebook. Unfortunately, the obsolete SMS-based sign-in security option is still being made available by Facebook to their users, despite already having more secure sign-in options. This means that their users will continue to adopt SMS sign-in security based on the assumption that this method of authentication is safe.

Instagram, a subsidiary of Facebook, appears to be improving sign-in security for their users based on a far more relaxed schedule. In 2016, they introduced an SMS-based 2FA system, and have yet to deliver better options to enhance sign-in security for their users. At the time of writing, the decision to enhance their security based on a schedule that is independent from Facebook, may now be starting to impact it's users in a significant way, raising questions about a potentially undiscovered security flaw in their infrastructure.

What are Your 2FA Options Currently?

You may have been coaxed into setting up one of Facebook's existing methods of 2FA, which is better than just using a password. However, since the method of 2FA you enabled may not be the most secure, it's good to know about all of the other options available, including their pros and cons.

Below we have listed, from best to worst (security, not convenience), the options that Facebook and Instagram provides as part of it's Two-Factor Authentication feature for increasing your account security. Please note also that the methods provided by Facebook/Instagram described below are subject to change over time, as they adapt their security.

The sign-in security options provided by Facebook


OPTION 1:
PHYSICAL SECURITY KEY

You'll sign into Facebook with a username/password, and then use an additional physical security key that you either insert into your USB port, or place near your Near Field Communication (NFC) capable Android device.

Facebook sign-in using a security key


AVAILABILITY: Facebook Only


SECURITY: Best Available


SETUP: Difficult


PROS


CONS



OPTION 2:
ONE TIME PASSCODE
(VIA AUTHENTICATOR APP)

You'll sign into Facebook with a username/password, and then enter an additional code that is generated by a special authenticator app on another device, such as your smartphone.

Google Authenticator


AVAILABILITY: Facebook Only


SECURITY: Moderate


SETUP: Inconvenient


PROS

CONS



OPTION 3:
ONE TIME PASSCODE
(VIA SMS)

You'll sign into Facebook or Instagram with a username/password, and then enter an additional code that is sent to your smartphone via SMS text.

Facebook SMS Authentication


AVAILABILITY: Facebook and Instagram


SECURITY: Low


SETUP: Easy


PROS

CONS



OPTION 4:
USERNAME & PASSWORD ONLY
(NO 2FA)

You'll sign in to Facebook or Instagram with only a username and password.

Facebook sign-in screen


AVAILABILITY: Facebook and Instagram


SECURITY: Worst Possible


SETUP: Easiest


PROS

CONS


How to Enable

Follow the Facebook or Instagram setup procedure to enable two-factor authentication.

Features to Avoid

For all types of two-factor authentication offered by Facebook/Instagram, there are convenience features that tend to break down the original vision of 2FA. So if possible, try to avoid depending on them too much, or at least be vigilant about how you use them.

Some examples are:

  1. The ability to take a picture of, download, or print backup codes that allow you to sign in from devices, in cases where you can't use 2FA. Possible risks:

    1. After taking a picture of the codes with your smartphone, that picture might be synched to a cloud storage or backup service, meaning that it might become accessible to other people, or systems over time.

    2. After printing the codes, you might forget that your left a copy of these codes in you Downloads folder, or they might be lying around in your trash after you deleted them, or the printed codes might be intercepted in your baggage while you travel,...and so forth.

  2. Using any "Remember Browser" or "Remember this Computer" option, which defaults to ON. Possible Risk:

    1. If your device is stolen and the attacker has access to it, they'll be able to use this to access your information on Facebook or Instagram.

Regular Review

On a regular basis, you should regularly review the following on your Facebook account:

  1. Your password - update your password regularly using well established and updated password guidelines.

  2. The Where You're Logged In section in Facebook settings to see if there are any devices you don't recognize.

  3. The Authorized Logins to see which devices don't require 2FA. Ideally, all of your devices should have the maximum security available.

  4. Apps you may have unwittingly authorized to access your Facebook and Instagram accounts to prevent unwarranted access to your personal information. Issues with third-party apps accessing users personal information on Facebook and Google were highlighted earlier this year.

The Greater Problem

Despite the efforts of Facebook, and Instagram to secure their services, the single biggest vulnerability of their services is that they are centralizing the storage of their users information in one place.

This means that regardless of the blocking techniques used to stop entry into their fortresses, once access is gained, everything becomes available. This characteristic of Facebook and other consumer Internet services that centralize information, make it a very high value target for cybercriminals and nation states who will over time, unwaveringly continue to attempt to gain unauthorized access to the information of individuals and companies that is hosted in Facebook's data centers.

Panwrypter

Panwrypter is an App that is designed from the ground up specifically for decentralizing the storage of sensitive documents and files, protecting them from unauthorized access over time, including data breaches, cyber-theft, unauthorized physical access, or simply losing or forgetting about the existence of your files.

Being designed specifically for decentralized protection, Panwrypter is loaded with options that can help provide you with the best possible protection, while regarding your existing storage habits, which might include apps such as Google Drive.

Specifically, it can help you to define a decentralized approach to protecting your documents & files, based on your lifestyle, while helping you to continue to use your existing storage media and services - the ones that you are already comfortable with.

In addition, Panwrypter can help you recover your files in the event that one or more of your protected volumes is damaged, control where your files can be physically restored from, and help you to safely remember the details of your storage sites when you need to access your files at a later time.

Learn more about Panwrypter, or download it from the Mac App Store.

Conclusion

Facebook has recently opened up to crypto and decentralized technologies, having recently formed a blockchain research group. This is discussed in an article by David Hamilton, originally posted on CoinCentral.com.

If you have any feedback, questions, or suggestions, please let us know.

Acknowledgements:
Photo by Tom Grimbert on Unsplash