Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: Facebook goes two-factor SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms: https://isctv.sans.edu

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Facebook goes two-factor

Facebook is now offering a new feature called "Login Approvals".   I call it part-time two-factor authentication mechanism.  Andrew Song of Facebook states:  "Login approvals is a Two Factor Authentication system that requires you to enter a code we send to your mobile phone via text message whenever you log into Facebook from a new or unrecognized computer." [1]

I have downgraded it to "part-time" because once you have approved the browser instance you are using to login to daily, it does not require execution of the second authentication until you have removed it from the list.  I clarify "browser" because you will be forced to re-auth from a different browser.  

On the upside however, it is an easy and ubiquitous solution that many people are inclined to incorporate in order to protect their Facebook account.  "Login Approvals" can be turned on in the "Account Security" section on the Settings tab of your Facebook Account Settings.

[1] https://www.facebook.com/note.php?note_id=10150172618258920


Kevin Shortt
--
ISC Handler on Duty

Kevin Shortt

82 Posts
ISC Handler
this means that I should trust Facebook and give them my mobile phone number. I really am not in the mood considering that they could share information with partners/advertisers. Why don't they offer the possibility to receive an email instead of an sms?
Anonymous
IMHO, it is their way of making sure persons using facebook are only using one (1) account.
I will also *not* provide my mobile number, unless they state in black and white that they will pay a grand sum of money in case the user finds out their info has been passed to any other entity as facebook.com's own system.
©TriMoon™

6 Posts
"whenever you log into Facebook from a new or unrecognized computer" What a great idea specially if you clear cookies, cache etc. by closing the browser. So after every restart of your browser facebook doesn't recognize you and you get a text. Wohoo! Hopefully facebook pays the bill...
©TriMoon™
2 Posts
I think this is a good step--maybe not for the most paranoid or protective, but those aren't the ones getting their Facebook hacked in the first place. The people this really helps already have their phone number plastered all over the internet.
blm

3 Posts
"in order to stop us from losing your personal information, give us more personal information" - what could possibly go wrong?
blm
2 Posts
Just use a prepaid card for this, that way your 'real' number is safe from them :)
blm
3 Posts

Sign Up for Free or Log In to start participating in the conversation!