Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

3/18/2021
05:25 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Facebook Expands Security Key Support to iOS & Android

Facebook's announcement arrives the same week Twitter enabled support for multiple security keys on user accounts.

Facebook today announced global support for security keys on iOS and Android, underscoring a broader trend of social media companies expanding secure login options for high-risk accounts. 

Related Content:

Digital Identity Is the New Security Control Plane

Special Report: Building an Effective Cybersecurity Incident Response Team

New From The Edge: DDoS's Evolution Doesn't Require a Security Evolution

A physical security key notifies its user when someone tries to access their account from an unfamiliar browser or device. Its use is encouraged for people at higher risk of being targeted by cybercriminals, such as public figures, politicians, human rights activists, and journalists.

Facebook has provided support for physical security keys on desktop since 2017; now, it's bringing that support to mobile. The news arrives as more people access Facebook via mobile devices in general; especially the high-risk populations for whom security keys are designed.

"We see threat actors increasingly target high-value or highly targeted users, whether we're talking about journalists, activists, politicians or campaigns … to take them down, embarrass them, impersonate them, also to steal their information and use that to facilitate some type of influence operations," says Nathaniel Gleicher, Facebook's head of security policy. 

Many of these targeted communities live on mobile, and it's where they interact with Facebook most, Gleicher continues.

Among the target groups are senior government officials and senior company officials, he says, a sign that physical security keys should play a role in enterprise security. Cybercriminals after a specific individual will target not only their business accounts, but personal accounts as well. An attacker with access to a personal social media account can unearth sensitive information they could use to expose or blackmail the target or learn more details about their professional lives. 

"If you are a senior official at a company, if you are a senior official on a board, if you are a senior government official, remember that your personal accounts are just as likely to be targeted as your official ones," Gleicher says.

Ant Allan, research vice president for Gartner, says the company is seeing greater support for security keys among service providers, and more people are using them — though overall adoption is still niche. He says the greatest interest among clients is in FIDO2 security keys. Facebook supports the Universal 2nd Factor (U2F) protocol; FIDO2 is a further development of the U2F protocol.

"Our projection is that FIDO2 … will be increasingly significant over the next two to three years," Allan says. "Enterprise adoption will be significantly encouraged by Microsoft's support for FIDO2 in Windows 10 and Azure AD Premium."

Adoption of security keys may have increased, but their user base remains small. Physical security keys, while a strong form of protection, have the reputation of being difficult to use or intimidating for most everyday users. The goal of Facebook's announcement is not to get all people to adopt a security key but to make them more accessible to those at highest risk.

"The percentage of people that use security keys is always going to be a small percentage," Gleicher says. "It is a burden to use a security key; it is a choice that you make." Some might prefer two-factor authentication for an app-generated code or rely on a password manager. 

"I do think it's important that people should adapt the security profile that make the most sense for the risk that they face, and we don't need everyone to adapt security keys to call that a win," he adds. 

How to Use It
Security keys can be bought directly from any company that makes them — Facebook doesn't — and used with Bluetooth or by directly plugging it into your phone. They can be enrolled in two-factor authentication by going to Settings > Security and Login. Facebook doesn't require a specific brand or implementation of key, and the same key can be used across multiple services.

What's Next for Physical Security Keys?
Facebook's news is a few months behind Twitter, which announced in December it was giving account holders the option to log in with a physical security key on Android and iOS, in addition to desktop. Twitter reported this week it will now provide the option to enroll and log in with multiple keys for both Web and mobile. Before, users were limited to one key per account. 

Soon, Twitter says users will have the option to add and use security keys as their only authentication method, without other methods turned on. 

"This is really important," says Allan of the option to exclusively use the security key to log in. "There's little point in investing in a robust authentication mechanism like FIDO2 (with or without security keys) if you leave [out-of-band] SMS switched on and available for an attacker to exploit." 

While much of the hype is around security keys, given the shift away from hardware tokens over the past 20 years, Gartner's projection is that FIDO2-enabled phones will be more common in the future. A FIDO2 internal authenticator will support access from the phone, and the FIDO2-enabled phone will serve as an external authenticator to support access from other devices.

"While a FIDO2 security key provides more confidence than a FIDO2 internal authenticator, it's not clear that that's justified for social media or for most enterprise use cases," Allan says. What's more, he adds, is the cost of security keys could be a barrier to adoption, in addition to the inconvenience of having to carry a key all the time and run the risk of losing it.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Commentary
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-29445
PUBLISHED: 2021-04-16
jose-node-esm-runtime is an npm package which provides a number of cryptographic functions. In versions prior to 3.11.4 the AES_CBC_HMAC_SHA2 Algorithm (A128CBC-HS256, A192CBC-HS384, A256CBC-HS512) decryption would always execute both HMAC tag verification and CBC decryption, if either failed `JWEDe...
CVE-2021-29446
PUBLISHED: 2021-04-16
jose-node-cjs-runtime is an npm package which provides a number of cryptographic functions. In versions prior to 3.11.4 the AES_CBC_HMAC_SHA2 Algorithm (A128CBC-HS256, A192CBC-HS384, A256CBC-HS512) decryption would always execute both HMAC tag verification and CBC decryption, if either failed `JWEDe...
CVE-2021-29451
PUBLISHED: 2021-04-16
Portofino is an open source web development framework. Portofino before version 5.2.1 did not properly verify the signature of JSON Web Tokens. This allows forging a valid JWT. The issue will be patched in the upcoming 5.2.1 release.
CVE-2021-29452
PUBLISHED: 2021-04-16
a12n-server is an npm package which aims to provide a simple authentication system. A new HAL-Form was added to allow editing users in version 0.18.0. This feature should only have been accessible to admins. Unfortunately, privileges were incorrectly checked allowing any logged in user to make this ...
CVE-2021-29444
PUBLISHED: 2021-04-16
jose-browser-runtime is an npm package which provides a number of cryptographic functions. In versions prior to 3.11.4 the AES_CBC_HMAC_SHA2 Algorithm (A128CBC-HS256, A192CBC-HS384, A256CBC-HS512) decryption would always execute both HMAC tag verification and CBC decryption, if either failed `JWEDec...