Facebook apologizes for text spam for 2FA users; here's how to secure your account wisely

Discussion in 'privacy problems' started by ronjor, Feb 17, 2018.

  1. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    163,072
    Location:
    Texas
  2. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    2,402
    Facebook is one of the progressive security sites that offers and supports U2F, and does it very well. I don't use FB (very little anyway) but my spouse does. I setup U2F on her account so that only her specific device OR a U2F credential pass allows a sign in to the account. Even without the screw up on FB's end with texts, U2F is light years more secure and easier. That would be my recommended solution since the site is so advanced and supports the newest authentication! We already own multiple "encrypted chips" so there was no additional cost for the better security.

    Bonus: nobody can send "ads" to an encrypted chip, LOL!
     
  3. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,832
    Location:
    UK
    @Palancar - one trouble with the relatively few sites that support U2F (I neither know nor care about FB), is that they also "demand" the phone number, nominally for SMS account recovery (in fact, to identify you). However, this of itself can destroy much of the good protection that you had with U2F to start with.

    The trouble is, secure account recovery is quite hard when you have to cater for most peoples' record-keeping abilities and inclinations. My personal preference would be a secondary registered TOTP Authenticator recovery, because you can keep & replicate non-dongle based copies of the secrets, which you cannot with U2F.
     
  4. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    2,402
    Let me use my REAL NAME Gmail Acct as an example. It is full U2F, and my defined backup (for a lost/broken chip) is a "code list" kept in a safe place. Of course that "code list" was generated by Google's server for me as account holder. Without one of those I would be dead in the water! The code list is completely printed out and not on a hard disk anywhere in my house or on my mobile device. While Google has my phone number it is of no value in resetting my account, in theory. Also, if someone attempts to log in from a foreign device without U2F I get a text within seconds. I feel completely safe and secure. I do admit I would never use the same process for a pseudo name such as Palancar.

    Since almost all of the traffic on that Gmail account contains numerous links to my real name there would be no point in trying to anonymize who the email account holder really is --- ME. The same would be true for my wife's FB account and that U2F process.
     
    Last edited: Feb 19, 2018
  5. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,832
    Location:
    UK
    @Palancar - I think your setup is good, the way you've chosen to configure the options. From what I've seen, Google is one of the few that has a sufficient suite of options on this - possibly because they've been taking their own medicine.

    I like the printed OTP as a backup. That's OK.
     
  6. guest

    guest Guest

    Facebook’s new two-factor authentication process no longer requires a phone number
    You can use an authenticator app instead
    May 23, 2018

    https://www.theverge.com/2018/5/23/...actor-authentication-process-app-phone-number
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.