Facebook today announced global support for security keys on iOS and Android, underscoring a broader trend of social media companies expanding secure login options for high-risk accounts.
A physical security key notifies its user when someone tries to access their account from an unfamiliar browser or device. Its use is encouraged for people at higher risk of being targeted by cybercriminals, such as public figures, politicians, human rights activists, and journalists.
Facebook has provided support for physical security keys on desktop since 2017; now, it's bringing that support to mobile. The news arrives as more people access Facebook via mobile devices in general; especially the high-risk populations for whom security keys are designed.
"We see threat actors increasingly target high-value or highly targeted users, whether we're talking about journalists, activists, politicians or campaigns … to take them down, embarrass them, impersonate them, also to steal their information and use that to facilitate some type of influence operations," says Nathaniel Gleicher, Facebook's head of security policy.
Many of these targeted communities live on mobile, and it's where they interact with Facebook most, Gleicher continues.
Among the target groups are senior government officials and senior company officials, he says, a sign that physical security keys should play a role in enterprise security. Cybercriminals after a specific individual will target not only their business accounts, but personal accounts as well. An attacker with access to a personal social media account can unearth sensitive information they could use to expose or blackmail the target or learn more details about their professional lives.
"If you are a senior official at a company, if you are a senior official on a board, if you are a senior government official, remember that your personal accounts are just as likely to be targeted as your official ones," Gleicher says.
Ant Allan, research vice president for Gartner, says the company is seeing greater support for security keys among service providers, and more people are using them — though overall adoption is still niche. He says the greatest interest among clients is in FIDO2 security keys. Facebook supports the Universal 2nd Factor (U2F) protocol; FIDO2 is a further development of the U2F protocol.
"Our projection is that FIDO2 … will be increasingly significant over the next two to three years," Allan says. "Enterprise adoption will be significantly encouraged by Microsoft's support for FIDO2 in Windows 10 and Azure AD Premium."
Adoption of security keys may have increased, but their user base remains small. Physical security keys, while a strong form of protection, have the reputation of being difficult to use or intimidating for most everyday users. The goal of Facebook's announcement is not to get all people to adopt a security key but to make them more accessible to those at highest risk.
"The percentage of people that use security keys is always going to be a small percentage," Gleicher says. "It is a burden to use a security key; it is a choice that you make." Some might prefer two-factor authentication for an app-generated code or rely on a password manager.
"I do think it's important that people should adapt the security profile that make the most sense for the risk that they face, and we don't need everyone to adapt security keys to call that a win," he adds.
How to Use It
Security keys can be bought directly from any company that makes them — Facebook doesn't — and used with Bluetooth or by directly plugging it into your phone. They can be enrolled in two-factor authentication by going to Settings > Security and Login. Facebook doesn't require a specific brand or implementation of key, and the same key can be used across multiple services.
What's Next for Physical Security Keys?
Facebook's news is a few months behind Twitter, which announced in December it was giving account holders the option to log in with a physical security key on Android and iOS, in addition to desktop. Twitter reported this week it will now provide the option to enroll and log in with multiple keys for both Web and mobile. Before, users were limited to one key per account.
Soon, Twitter says users will have the option to add and use security keys as their only authentication method, without other methods turned on.
"This is really important," says Allan of the option to exclusively use the security key to log in. "There's little point in investing in a robust authentication mechanism like FIDO2 (with or without security keys) if you leave [out-of-band] SMS switched on and available for an attacker to exploit."
While much of the hype is around security keys, given the shift away from hardware tokens over the past 20 years, Gartner's projection is that FIDO2-enabled phones will be more common in the future. A FIDO2 internal authenticator will support access from the phone, and the FIDO2-enabled phone will serve as an external authenticator to support access from other devices.
"While a FIDO2 security key provides more confidence than a FIDO2 internal authenticator, it's not clear that that's justified for social media or for most enterprise use cases," Allan says. What's more, he adds, is the cost of security keys could be a barrier to adoption, in addition to the inconvenience of having to carry a key all the time and run the risk of losing it.