Facebook this week announced two-factor authentication (2FA), as a mandatory requirement for high-risk accounts likely to be attacked by hackers. This would apply to accounts belonging to journalists, human rights activists, and politicians.
Facebook reported this week to reporters that its team was working on making enrollment and two-factor authentication as frictionless for the various groups by offering better support and user experience.
2FA was piloted for the first time by Facebook in 2018. It was extended ahead of the 2020 U.S. Election to prevent abuses and interference spreading on the platform. Nathaniel Gleicher from Facebook’s security policy parent Meta, said it has been activated on over 1.5 million accounts.
The network will soon be extended to over 50 countries, which includes the United States, India and Portugal. A further expansion is also planned for the next year.
Gleicher stated that so far it is going well. “We are seeing over 90% of individuals enabling before the mandatory period.”
This should be viewed as an important step to ensure that no bad actor can hijack an account via social media. Security experts agree. But there is more to be done.
It is wonderful news. MFA (multifactor authentication) is something that should be continued, even though it may have to be forced. MFA dramatically reduces some hacking attacks,” Roger Grimes (data-driven defense evangelist, KnowBe4) explained via email.
Purandar das, co-founder of Sotero (an encryption-based security company), stated, “While these steps are definitely warranted but they are only the beginning.” 2FA is a mandatory and basic requirement on almost all platforms. Even though criminals know that text message 2FA is not secure, they have proven it. These measures have been circumvented by hacking SIM cards. Monitoring is likely to be just as crucial. Facebook has an enormous task ahead of it, given its huge user base. These measures will become more secure the faster they implement them.
For those reasons, 2FA/MFA shouldn’t be seen as being the final word in security, and users – especially at-risk users – need to monitor their devices and accounts, and continue to maintain the best security practices.
Grimes stated that MFA does not provide security protection. In 80 to 90 percent of cases an attacker will know the MFA used. It becomes trivial for them to bypass it or hack their passwords. An attacker can send an email phishing to MFA-users and circumvent the protection.
However, this doesn’t mean that social media users shouldn’t adopt 2FA/MFA.
Grimes stated that everyone should make use of it whenever and wherever possible to safeguard valuable data. MFA has not been eliminated from the internet, but hackers and malware attacks haven’t disappeared. It is quite the opposite. MFA is as susceptible to being compromised by companies who use it on a long-term basis at large scales than they are those that don’t. How? Most often, it’s social engineering or unpatched code.”
This means that at-risk users still have to practice security precautions, such as keeping their devices updated and changing their passwords regularly.