Facebook is expanding its definition of “high-risk accounts” that will require the use of two-factor authentication to log on, in a move that mirrors broader trends across big tech platforms.
Users flagged as having high-risk accounts will be periodically reminded to enable two-factor authentication; after a time, they will be locked out of the platform until they enable it. The move adds to speculation that Facebook’s eventual plan is to require two-factor authentication for all of its users as it transitions into the “Meta” phase of its existence.
Two-factor authentication mandatory for Facebook Protect members
The move appears to apply to users that have enrolled in Facebook Protect, the platform’s optional enhanced security program meant for users at elevated risk of having their accounts breached. Some “VIP” celebrity and public figures, as well as users with sensitive jobs such as journalists and activists, are automatically enrolled in the program as a mandatory component of their Facebook use. Popular Facebook pages are also sometimes required to have administrators and advertising accounts enable two-factor authentication.
For some, this system had consisted of a series of gentle reminders to date. Soon, these high-risk accounts will find themselves locked out of Facebook until they get two-factor authentication up and running. Facebook says that there will be an additional period of reminders, but eventually it will be made mandatory to log in.
Facebook joins a number of other tech platforms in increasing the scope of required protections for high-risk accounts. There are reports floating around that Google started requiring some users to enable two-factor authentication on Android phones toward the beginning of November. Google had also previously announced in a blog post that it was planning on enrolling some 150 million users in two-factor authentication by the end of 2021. Amazon has additionally made it mandatory for all Ring smart camera users as of February 2020.
A fair amount of security experts see two-factor authentication becoming the norm for online accounts in the near future, as is the view of Alicia Townsend (Technology Evangelist at OneLogin): “This is definitely the direction all platforms are moving towards. Requiring MFA is like requiring people to use seat belts in their cars. We used to not require seat belts, and in fact many people protested against it, but since we began using them, millions of lives have been saved. If we simply required MFA for all logins, millions of breaches could be prevented as well.”
The push for multi-factor authentication beyond high-risk accounts
Google has stated that it eventually wants to roll out two-factor authentication to all of its users. A spokesperson for Facebook said that there are no current plans to make it mandatory for everyone, but that the company wants to move in that direction by first expanding it in “critical communities” where the potential consequences for a lack of security features are most serious.
The Facebook Protect service is still relatively new, introduced in 2018 ahead of the midterm elections. It is also still not available around the world; thus far it is only available in 12 countries, but the social network has said it aims to have it available in 50 by the end of the month and to add even more in 2022. At the moment, Facebook estimates that about 4% of its global users currently have it enabled. However, its internal testing indicates that over 90% of high-risk accounts will enroll in it once it is made mandatory.
While Facebook did not cite specific issues in expanding its rollout of the Protect program, Google has said that expansion of two-factor authentication has been slowed by areas of the world where users do not have reliable access to a second means of verification. The company only enrolls accounts that have a measure such as a backup email address or a SMS-capable phone listed as an emergency access option.
Those are not the only potential issues with two-factor authentication. It should not be seen as a surefire mechanism, particularly when the second factor involves a phone. If the phone is lost or stolen, for example, that can have the knock-on effect of also keeping the user locked out of their various online accounts until they regain access to it. There is also the issue of SIM swap attacks, which allow users to replicate a phone and steal the number without having physical access to it; in terms of remote hacking, this is one of the most common ways of defeating two-factor authentication. One-time codes have also been stolen via social engineering, an approach very recently seen with attacks on the Zelle payment service that were used to directly empty the bank accounts of victims.
Security experts generally recommend a physical method of two-factor authentication, particularly for high-risk accounts likely to be targeted by advanced nation-state hackers. This level of enhanced security would mean a USB hardware key, or even unlocking via a biometric measure such as a face scan or thumbprint. Even these are not failsafe, still potentially compromised by loss of a key or the copying and reconstruction of biometric elements, but they do make it much harder on a hacker.
But Roger Grimes, Data-Driven Defense Evangelist for KnowBe4, iterates a view that is also common among experts: any manner of two-factor authentication is better than no manner at all, and will substantially cut down on security incidents: “This is great news. The continued adoption of MFA, even if forced, is a good thing. MFA significantly reduces the risk of some types of hacking attacks. With that said, MFA is not the security defense panacea that many vendors and users think it is. Once an attacker is aware of the type of MFA being used, in 80-90% of cases, it becomes as trivial to hack or bypass as a password. In most cases, an attacker can send a phishing email to an MFA-using user and get around the protection of MFA like it was not even there. MFA is not a bad thing. It is the opposite. Everyone should use it when and where they can to protect valuable data. But it is not like hackers and malware attacks are going away because MFA is being used. Quite the contrary. Companies who have been using MFA on large scales, long term are as nearly likely to be compromised as companies that do not. How? Usually social engineering and unpatched software.”