Account takeover is a serious problem for users of social platforms, especially sites such as Facebook that in many ways function as some people’s online identity. To help prevent attackers from usurping victims’ accounts, Facebook, Twitter, and other social media sites have added two-factor authentication to their login processes in recent years, but these systems typically require users to submit their phone numbers.
People have become more and more resistant to the idea of registering their mobile numbers with apps and sites thanks to a growing leeriness of mobile spam and ad-based messages. With that in mind, Facebook has rolled out a change to the way that its 2FA system works to enable users to opt out of SMS as the second factor of authentication. Under the new system, users can employ authenticator apps on their mobile devices.
“We previously required a phone number in order to set up two-factor authentication, to help prevent account lock-outs. Now that we have redesigned the feature to make the process easier to use third-party authentication apps like Google Authenticator and Duo Security on both desktop and mobile, we are no longer making the phone number mandatory,” Scott Dickens, a product manager at Facebook, said.
The change by Facebook is a simple, but significant, one. Authenticator apps such as Google’s allow users to generate one-time passwords on their devices, and Duo Mobile enables people to approve an attempted account login with one tap. These options are considered more secure than sending login codes over SMS, for a variety of reasons, mainly because text messages can be intercepted in a number of different ways.
From a privacy standpoint, using an authenticator app rather than SMS eliminates the possibility of users getting unwanted messages to their mobile devices from platform providers.
“Two-factor authentication is an industry best practice for providing additional account security. We continue to encourage enabling two-factor authentication to add an extra layer of protection to your Facebook account,” Dickens said.
Twitter has a similar 2FA system in place that allows users to choose between SMS messages or authenticator apps for login verification.