Is Facebook’s Login Approvals a Setback for Mobility?

“Today, we’re announcing our newest opt-in security feature that I’ve worked to build over the past few months: Login Approvals.”

With that, Facebook announced Login approvals,  “…a Two Factor Authentication system that requires you to enter a code we send to your mobile phone via text message whenever you log into Facebook from a new or unrecognized computer.”

The idea behind the new feature is to help users combat unauthorized access or the now infamous “I have been hacked” incidents that have plagued users of the Social Network. The new feature, which is currently optional is expected to add a second layer of protection to users’ login process.

What exactly is it? Here is Facebook’s explanation of Login Approvals:

In essence, the process works in three steps:

  1. Turn on Login Approvals
  2. Confirm that you have access to the phone you are using
  3. Enter the security code you received from Facebook to confirm that “you are who you say you are”

In other words, if you want to avail yourself of this “Two-Factor” authentication, you have to first, give Facebook your mobile phone number and second, incur text message charges from your provider.

But the idea of treating this as a token-based two-factor authentication is a little misleading and the explanation given by Facebook is very weak at best, to wit:

“…Similar features on other websites require you to download authentication apps or purchase physical tokens to act as your second factor”

That is not quite true. A couple of sites make you set up static second factor that could be numbers or an image which you have to enter or reference before final login. And you do not have to pay anything for it. Most online investment brokers provide this feature which seems to work really well.

Then there is this bizarre claim that two-factor authentication as implemented by other websites “…require a lot from the user before being able to turn on the feature”. Again, not true. When you set up an account with most sites that offer two-factor authentication, you are made to create the second factor during the setup process and it is a one-time deal until it is time to renew the password or “token”. Plus, how difficult can it be to enter a 5 or 6 digit preset or random PIN that expire at given intervals? There are even applications that users can install that will generate random tokens without opening up another attack vector – SMS spamming.

The second issue is, why are users being tied to a specific device or computer? There seems to be a tacit assumption that all Facebook users have their own computers and that is clearly not the case. Some users access their accounts in multiple ways – desktop in the morning, an internet Café in the afternoon and in a different city in the evening? So what happens to people who traverse continents regularly and do not want to be gouged for “roaming charges”?

The weakness in this implementation have caused some critics to downgrade Login Approvals to “part-time” two-factor authentication because once you have approved the browser instance you use to login daily, it does not require execution of the second authentication until you have removed it from the list.  Moreover, the user will be forced to re-authenticate from a different browser. So if you are like most people these days who use Chrome, Firefox, Opera and Internet Explorer on the same computer, albeit for different purposes, you will be doing a lot of authentication texting which could be another headache for Facebook as users may now have to deal with text hijacking by the “bad” guys. What happens if the database holding the phone numbers gets compromised? Don’t be surprised to see spam texters chomping at the bits for this scenario to play out.

Here’s the link to Facebook’s Login Approval announcement page.