Facebook announced that it would make two-factor authentication (2FA) mandatory for high-risk ... [+]
This week, Facebook announced that it would make two-factor authentication (2FA) mandatory for high-risk accounts that are likely to be targeted by malicious hackers. Such accounts would include those of human rights activists, politicians, journalists and others who the company deemed to be "at-risk."
Facebook told reporters this week that it worked on making the enrollment, as well as the use of two-factor authentication on its platform "as frictionless as possible for these groups of people by providing better user experience and support."
The 2FA program was first piloted by the social network in 2018 and was expanded ahead of the 2020 U.S. election in a bid to try and stop abuse and election interference from spreading across the platform. To date it has been enabled on more than 1.5 million accounts, according to Nathaniel Gleicher, head of security policy Facebook's parent Meta.
It will be expanded to more than 50 countries by the end of the year, including the U.S., India, and Portugal, while a further expansion is planned for next year.
"So far, it's actually going very, very well," Gleicher told reporters. "We're seeing well over 90 percent of people successfully enabling ahead of that mandatory period."
Security experts have said this should be seen as a step in the right direction for ensuring that bad actors can't hijack an account on the social media platform. Yet more could be done.
"This is great news. The continued adoption of MFA (multi-factor authentication), even if forced, is a good thing. MFA significantly reduces the risk of some types of hacking attacks," Roger Grimes, data-driven defense evangelist at KnowBe4, explained via an email.
"While these measures are certainly warranted, they are just the beginning," added Purandar Das, co-founder and president at Sotero, an encryption-based security solutions company. "2FA is just about a basic and mandatory requirement for almost all platforms. Although criminals have already demonstrated that 2FA via text messages are not very secure. Hijacked SIM cards have already been used to circumvent these measures. The addition of monitoring is probably just as important. Facebook still has a huge challenge on its hands given the size of its user base. The faster they roll out these measures the more secure their user base will be."
For those reasons, 2FA/MFA shouldn't be seen as being the final word in security, and users – especially at-risk users – need to monitor their devices and accounts, and continue to maintain the best security practices.
"MFA is not the security defense panacea that many vendors and users think it is," explained Grimes. "Once an attacker is aware of the type of MFA being used, in 80-90 percent of cases, it becomes as trivial to hack or bypass as a password. In most cases, an attacker can send a phishing email to an MFA-using user and get around the protection of MFA like it was not even there."
That isn't to say that 2FA/MFA shouldn't be adopted by the social media users.
"Everyone should use it when and where they can to protect valuable data," added Grimes. "But it is not like hackers and malware attacks are going away because MFA is being used. Quite the contrary. Companies who have been using MFA on large scales, long term are as nearly likely to be compromised as companies that do not. How? Usually social engineering and unpatched software."
In other words, at-risk users will still need to be diligent when it comes to security practices, and that includes keeping their devices up to date, and changing passwords frequently.
