Facebook announced support for physical security keys with certain web browsers and mobile devices.
Security engineer Brad Hill said in a Facebook Security note that the option is an alternative to the two-factor authentication solution it currently offers, whereby users receive security codes for login approvals via text messages. He wrote:
Starting today, you can register a physical security key to your account so that the next time you log in after enabling login approvals, you’ll simply tap a small hardware device that goes in the USB drive of your computer. Security keys can be purchased through companies like Yubico, and the keys support the open Universal 2nd Factor (U2F) standard hosted by the FIDO Alliance.
Security keys for Facebook logins currently only work with certain web browsers and mobile devices, so we’ll ask you to also register an additional login approval method, such as your mobile phone or Code Generator. To add a security key from your computer, you’ll need to be using the latest version of Chrome or Opera. At this time, we don’t support security key logins for our mobile Facebook application, but if you have an NFC-capable Android device with the latest version of Chrome and Google Authenticator installed, you can use an NFC-capable key to log in from our mobile website.
Hill also outlined the benefits of using security keys for two-factor authentication:
- Phishing protection: Your login is practically immune to phishing because you don’t have to enter a code yourself and the hardware provides cryptographic proof that it’s in your machine.
- Interoperable: Security keys that support U2F don’t just work for Facebook accounts. You can use the same key for any supported online account (e.g., Google, Dropbox, GitHub, Salesforce), and those accounts can stay safe because the key doesn’t retain any records of where it is used.
- Fast login: If you use a security key with your desktop computer, logging in is as simple as a tap on the key after you enter your password.
Readers: Would you consider using a physical security key to login to Facebook?