The Universal 2nd Factor (U2F) standard designed by the Fast Identity Online (FIDO) Alliance gained Facebook as another important supporter.
Google became the first major technology company to embrace the U2F second factor authentication standard to its Chrome browser. Since then other players like GitHub, Dashlane, and more recently Dropbox have also implemented U2F authentication because of its security benefits and ease of use.
U2F relies on a USB hardware token, often called a security key, instead of codes sent via SMS or generated by mobile apps. The U2F token uses public key cryptography and operating system or browser-level APIs to identify you to the service you’re trying to access. The private key stays on the token, while the public key is sent to the company’s server, which allows you to access the service. This makes two-factor authentication much easier to use.
As we’ve mentioned before, because U2F isn’t that popular yet, virtually all services that have implemented it so far have also required users to add a phone number or use an authenticator app such as Google Authenticator or Authy. This can reduce the security strength of the U2F protocol to that of SMS or the authenticator app.
Facebook seems to ask for an SMS or authenticator app to be used as backup as well. However, it also allows users to save a list of pre-generated Recovery Codes that people can manually enter when requested, if they ever lose their security key. This would allow users to maintain the high security level of the U2F authentication method, as long as the codes are printed and stored in a safe place, not just saved as an image on their PC’s desktop.
Facebook U2F Support
Facebook’s U2F authentication is only supported in Chrome and Opera (which is based on Chromium) right now. Mozilla has promised U2F support for late 2016, but it looks like it has been delayed. Mozilla also plans to adopt a sister FIDO protocol that would allow users to replace their passwords, too, with a similar solution to U2F that uses public key cryptography. Microsoft’s Edge browser is expected to gain support for U2F in the first part of 2017.
Facebook said that U2F isn’t supported in its mobile app yet, but if users have an NFC-capable Android device and security key as well as Google’s Authenticator app, they could use them to authenticate via U2F to the mobile Facebook website.