Facebook now lets you lock down logins with a key

Relying on a password alone just doesn't cut it. That's why the social media giant wants you to pack some hardware.

Laura Hautala
Laura Hautala
Laura Hautala Former Senior Writer
Laura wrote about e-commerce and Amazon, and she occasionally covered cool science topics. Previously, she broke down cybersecurity and privacy issues for CNET readers. Laura is based in Tacoma, Washington, and was into sourdough before the pandemic.
Expertise E-commerce, Amazon, earned wage access, online marketplaces, direct to consumer, unions, labor and employment, supply chain, cybersecurity, privacy, stalkerware, hacking. Credentials
  • 2022 Eddie Award for a single article in consumer technology
Laura Hautala
3 min read

Yubico's FIDO U2F Security Key. Could this be how you'll be letting yourself into Facebook?


If you're worried someone's trying to hack into your Facebook account, now you can lock it up with a key.

On Thursday, the social media giant said it would let users link a hardware token to their accounts. When you log in from new browsers or geographic regions, you can plug the piece of hardware into your USB drive and give it a tap. That's enough to convince Facebook you are who you say you are.

It's a highly regarded, if not very common, form of two-factor authentication -- security measures in which you add an extra layer of security to your logins beyond your password.

"We use similar technology to protect our internal assets here at Facebook," said Brad Hill, a security engineer at Facebook. "We find it to be convenient and highly secure."

The update makes Facebook one of the first major social media services to give users this option. It also comes at a time when savvy users are exploring their options for keeping hackers out of their accounts.

Locking your accounts with passwords alone isn't the most secure choice out there. First of all, many of us are terrible at it, employing the same easy-to-guess passwords across multiple accounts. But even if you're using unique, complex passwords for every account in your name, you could still fall victim to a hacker's ploy to steal your password.

(If you're ready to get more secure, here's a list of the two-factor authentication options offered by popular web services, and a guide to using them.)

While Facebook does its best to analyze your location and other signals before accepting your password, setting up two-factor authentication is an "affirmative" way to secure your own account, Hill said.

But a hardware token? Surely, you say, there must be options that don't require you to carry something around. Not really -- most of them rely on you to have your smartphone handy. That's not always possible or convenient.

What's more, those methods tend to rely on you putting in a one-time code, and Hill said there's always a chance you could fall prey to "a really sophisticated phishing attack," entering that code into a phony website where hackers could scoop it up and use it to log into your account.

The National Institute of Standards and Technologies announced in July that one of the most common forms of two-factor verification -- an SMS text message with a one-time code -- was no longer up to snuff.

The hardware token, sold commercially as a Yubikey, Nitrokey and other brand names, is a tiny doodad packed with cryptographic power. You'll need to go to the trouble of connecting it to each of your accounts -- those that allow it, that is. But once you do, Hill said, the device will send your credentials only to a legitimate account.

"There are no mistakes you can make as an end user," Hill said.

Tech Enabled: CNET chronicles tech's role in providing new kinds of accessibility. Check it out here.

Solving for XX: The industry seeks to overcome outdated ideas about "women in tech." Take a look here.