Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

MacRumors

macrumors bot
Original poster
Apr 12, 2001
68,723
39,663


Facebook has announced that starting today, users on iOS and Android will have the ability to log into their account with a hardware security key, bringing a more than three-year-old feature for the desktop to mobile devices.

Facebook-Feature.jpg


Since 2017, Facebook has allowed users to use a hardware security key to access their accounts on desktops. Mobile users, however, have remained limited to protecting logins to their account with either an SMS verification code or an authentication app.

Hardware security keys are a small, USB-shaped device that requires you to manually push a button, connect it directly to your device, or use NFC to verify your identity. Since hackers cannot obtain the physical key itself, it's deemed one of the safest security layers possible for online accounts.

Facebook says it encourages everyone to purchase a security key and add the extra security layer to their account. Setting up a security key is relatively straightforward; users can go to the Security and Login section of settings within Facebook for iOS and Android, select Security Key, and follow the on-screen prompts.

Article Link: Facebook for iOS and Android Gains Hardware Security Key Support
 
  • Like
Reactions: JKAussieSkater
Wonder if it works with mobile browser since I avoid using FB/Messenger apps? Surprised not many laptops or desktops have NFC receiver. Google Pixel phones have Titan built-in which is equivalent to Yubikey.
 
I absolutely loathe using my phone number and SMS for 2FA. At least Apple keyboards suggest these codes when you receive them, but separate OTP and U2F physical security keys are the best.

I'm sick of companies asking for my phone number when they don't provide a service relevant to phone functions.
 
Let me get this straight

you can log in to Facebook using a hardware key to protect your account and Data

but Facebook want access to all your data, information etc so they can carry out their business, while at the same time selling and allowing access to that Data

easier to just drop Facebook
 
I absolutely loathe using my phone number and SMS for 2FA. At least Apple keyboards suggest these codes when you receive them, but separate OTP and U2F physical security keys are the best.

If you have your Apple hardware setup to share SMS a ross devices the sign in device gets the text as well, kinda defeating the whole 2 factor authentication if access is gained to the device.

The nice thing about physical keys, especially ones that do not require you to plug in is the ability to keep then separate from the device. So for example if I am traveling and want to ensure access to certain programs / sites is not possible I can leave the key at home; if I need access one call gets me the code sent to the device.
I'm sick of companies asking for my phone number when they don't provide a service relevant to phone functions.

Google Voice is your friend. Setup a burner Gmail account with Google voice give out that number.
 
Sadly, using Facebook's hardware key will likely install malware (oops, I mean Facebook enhancements) and track you at the device level.

To quote Admiral Ackbar from "The Return of the Jedi": "It's a trap!"
That’s the silliest thing I’ve ever heard. Facebook doesn’t sell hardware keys. They are all third party, the most popular being YubiKey. Don’t let your paranoia stop others from protecting their accounts from hackers. 2 factor auth should be praised.

Whether you use Facebook or not, it’s a tool that is commonly targeted by hackers and scammers, and the more people protecting their accounts the better.
 
Wonder if it works with mobile browser since I avoid using FB/Messenger apps? Surprised not many laptops or desktops have NFC receiver. Google Pixel phones have Titan built-in which is equivalent to Yubikey.
iPhones can use FaceId has a hardware key in Safari. I’m sure the same is true for the Pixel/Titan/Chrome combo. The main point of this article is that they’ve added the ability to use hardware keys for the native apps. It’s existed on web for a while.
 
iPhones can use FaceId has a hardware key in Safari. I’m sure the same is true for the Pixel/Titan/Chrome combo. The main point of this article is that they’ve added the ability to use hardware keys for the native apps. It’s existed on web for a while.

I'm considering a cross-platform solution using NFC so something like FaceID won't work. Thinking of putting a flat Yubikey NFC FOB in my wallet then swipe phone against back pocket or wallet against laptop/desktop whenever I need to authenticate. For now I use Google Voice # for SMS MFA so a little more protected than naked carrier SMS MFA but Yubikey is probably even better.
 
Welcome to applications taking security seriously. I don’t think that happened at the application level in the 1990s/2000s
Many post-production software required hardware dongles back in the day, a patch was possible but a key was officially supported. It is security for personal well-being, when the data is harvested by Fb itself and sold to advertisers and information shared and siphoned in the backend then the security key it some pathetic attempt to portray Fb as a company looking to protect its users when in reality it is not.
 
Facebook allows you to login with a hardware key...to then just leak most of that to third parties, me shakes head.
Guarantee once the key is re/inserted it will send back information such as location, etc? What happens if the key is lost or spoofed or abused?
 
I’m sure this is yet another way for Facebook scum to track us. “Don’t worry, we would never use your mobile number submitted for 2-factor authentication for tracking or marketing purposes.” Liars….
 
That’s the silliest thing I’ve ever heard. Facebook doesn’t sell hardware keys. They are all third party, the most popular being YubiKey. Don’t let your paranoia stop others from protecting their accounts from hackers. 2 factor auth should be praised.

Whether you use Facebook or not, it’s a tool that is commonly targeted by hackers and scammers, and the more people protecting their accounts the better.

Perhaps. But they did abuse, after promising they wouldn’t, numbers used for two-factor authentication. Went straight to their marketing and surveliance teams.

This is the thing about trust, especially trusting clearly morally bankrupt people like Zuck and Sheryl and companies like Facebook. If they can do it and get away with it, they will do anything.

So yes, this specific example is probably not correct. But that’s not the point. Sure, tobacco companies didn’t put lead in their products, but that’s not the point either. Facebook is the tobacco company of the digital age and cannot be trusted.
 
Making sure your data is inaccessible on Facebook is like hiring a security team to protect a 24/7 on-head camera broadcasting your life.

Hardware dongles for software is making a comeback, welcome back 1990s and early 2000s.

I didn't know this was a thing. I remember PC towers hard keys though, cylinder like ones.
 
  • Haha
Reactions: code-m
If you have your Apple hardware setup to share SMS a ross devices the sign in device gets the text as well, kinda defeating the whole 2 factor authentication if access is gained to the device.

The nice thing about physical keys, especially ones that do not require you to plug in is the ability to keep then separate from the device. So for example if I am traveling and want to ensure access to certain programs / sites is not possible I can leave the key at home; if I need access one call gets me the code sent to the device.


Google Voice is your friend. Setup a burner Gmail account with Google voice give out that number.
I understand that you defeat 2FA by using the SMS suggestions with Continuity, hence why I emphasized separate OTP (one-time password) and U2F (physical device) being the best routes. I've seen several sites offer OTP codes to scan or copy and advertise Google Authenticator but there are sooo many better alternatives like Authy.

I used to use Google Voice burners but issues arose when they deemed the numbers inactive and made me generate a new one after a period. But it was a really nice workaround, and it can be a solid practice if you only use Voice on devices you don't login from. I also generally use the least amount of Google services.
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.