Facebook has never seemed to have a particularly friendly relationship with security and privacy. After all, the more Facebook knows about you, the more the company can profit from the social graph. But while the company has implemented some fine security features for users, the way they present them leaves a lot to be desired.
Take 2-factor authentication, which is what we'll discuss in-depth in this article. Facebook actually supports multiple second factors (text messaging, its own apps, voice calls, third party apps). But getting to them is less than obvious and, in some cases, requires you to sacrifice some personal security to gain some Facebook account security.
Also, since Facebook does have so many authentication options for the second factor (after you type in your user name and password), it seems a shame that they don't let the authentication factors stack, so those who need more security could have three-factor authentication.
In exploring Facebook authentication, I discovered two problems. The first I consider just plain uncool. Facebook requires you to enter your actual mobile number into your Timeline in order to receive authentication codes via text message. They also require you to tell the authentication system your mobile number, but until it's part of the Timeline, they won't text you. That's nasty, a possible security flaw, and just unnecessary.
Second, Facebook has built its own second factor authenticator into its app. You can generate a Facebook authentication code from the Code Generator section of the Facebook app. The fatal flaw? That means that the Facebook mobile apps don't have second factor authentication. They are the authentication. That's a huge security issue and I strongly advise Facebook add two-factor authentication to their mobile apps as well.
In any case, before we get started, I wanted to share with you a post that showed up on my Timeline just as I was about to work on this story:
Can you spell "irony"? Sure. I knew you could. Now, let's get started with the real work.
First and second factor
The first factor in Facebook authentication is your user name and password. If you have not changed it since Heartbleed came to the surface, you should, as my ZDNet colleague Steven J. Vaughan-Nichols recommends.
By the way, I'm going to do one of these tutorials for Twitter and another for Google/Gmail. Stay tuned. They'll be ready in the next few days.
The first factor is something you know, in this case your user name and password. The second factor is something you have: in this case your phone or app-running tablet.
As a second factor, we're going to look at setting up authentication using the Facebook app itself, as well as by setting up text message confirmations. Unfortunately, the way Facebook handles setting up second factor authentication makes certain assumptions about how you have already set up your account. If you, like me, don't follow the normal norm, things get funky, quickly.
As a result of that experience, I'm going to take you through what may seem like a rather odd procedure for setting up two-factor authentication, but it will help you get around some of the obstacles I ran into.
Download the app first
I'll take you through this process for iPhone and Android phones. Before I get started, please go to the iTunes store or the Google Play store and download the official Facebook app and sign in. Make sure you do this before we go through the rest of the steps. It will be far easier this way.