Facebook's Intentional Security Fail... or: How Not To Do Two-Factor Properly
In the wake of "The Fappening" and various other security breaches in recent news, two-factor authentication has become much more popular as a way to defend against theft of passwords or session cookie data. I have some form of two-factor auth enabled on every site I use which offers it, save one: Facebook.
Not too long ago, Facebook introduced a form of two-factor authentication using mobile phone SMS verification, under the name "Login Approvals". There's just a little nagging problem: to enable the feature, you're required to stay persistently logged in to Facebook
on at least one system. If your browser is set to clear cookies on exit (or forces cookies to session-only rather than persistent), Facebook prevents you from enabling the feature, with a pop-up message reading:"Your current <browser> settings might make it hard to use Login Approvals.It's probably because:- You sometimes clear your cookies."Like, duh!?
Yes, dear, I do have my browser set to clear cookies on exit. This is a security measure!
I want to ensure that a fresh browser session requires that I login again, every time. If someone happens to be able to access the GUI console on my laptop, I don't want any site to sit there, already logged in, just waiting to be accessed.
This defeats the whole purpose of two-factor authentication. Further, it flies in the face of Facebook's internal IT systems security, which makes use of +Duo Security
's strong two-factor system every day. Internally, Facebook does the right thing -- externally, it fails miserably.
I can only guess that this restriction exists to nudge folks into leaving Facebook's Internet tracking cookie enabled when not actively using the site itself. Besides being insulting to security-conscious people, this braindead prerequisite for enabling two-factor auth shows that Facebook still only provides lip service to the concept of security.
And I would bet a good $20 that the marketing spin behind this requirement is something along the lines of "Users at home could be confused by having to enter security codes every time they use Facebook".
Yeah, screw that. #Facebook
, you're doing IT wrong. Try again. #TwoFactorAuth #Security #Fail