A Software Bug Let Hackers Drain $31M From a Crypto Service

FOR YEARS, FACEBOOK has given its users the option of protecting their accounts with two-factor authentication. Soon, the platform’s highest-risk users will no longer have a choice: The social network will require them to lock up their profiles with more than just a password. Good.

Facebook’s parent company, Meta, has required  since last year that advertising accounts and administrators of popular pages turn on two-factor. It’s not the only platform taking this step; in May, Google announced a move toward making two-factor authentication the default for all of its users. And while Meta says that its current initiative applies only to the politicians, activists, journalists, and others enrolled in its Facebook Protect program, this seems like a sort of test for figuring out how to make SEO as easy as possible for everyone to turn on. Meta is also working to make sure it can help troubleshoot any related issues that may arise for users around the world.

“We aren’t planning currently on rolling it out to everyone, but we can slowly expand within the communities where it’s most critical—communities where people could be most targeted and where the consequences would be most significant,” Meta’s head of security policy, Nathaniel Gleicher, told reporters ahead of the announcement.

Facebook Protect started as a pilot project in the United States ahead of the 2018 midterm elections and expanded leading up to the 2020 presidential election. Facebook enrolls some prominent public figures in the program automatically, but the company has also been creating mechanisms for people to nominate themselves for inclusion, like enrolling whole newsrooms. Once users join Facebook Protect, they can’t opt out. 

Protect’s global rollout began in September, and Meta currently offers it in 12 countries, including India, the Philippines, and Turkey. The program has more than 1.5 million enrollees, including close to 950,000 who first enabled two-factor authentication as a result of the mandate. Gleicher says the company will offer Protect in 50 countries by the end of the year, with more to come in 2022, like Myanmar and Ethiopia. In addition to mandating two-factor authentication, Facebook Protect offers additional automated monitoring and scanning on enrolled accounts.

Though Google is the consumer tech company pursuing mandatory two-factor use most aggressively, others have taken smaller steps. Amazon’s Ring smart camera company mandated two-factor for its few million customers in early 2020 after a wave of break-ins on Ring accounts. And in 2018, Twitter debuted prompts to encourage candidates to turn on two-factor authentication. The social network said in July that only 2.3 percent of its users have enabled two-factor authentication.

Facebook revealed ahead of the announcement that only about 4 percent of Facebook’s monthly active users worldwide have adopted two-factor authentication.  

“Two-factor has historically been underutilized across the internet, even by people who are most targeted by malicious hackers, despite it being one of the best available protections against account compromise,” Gleicher said. “To help drive wider enrollment in 2FA we all need to go beyond raising awareness or encouraging enrollment. But we also have to make sure that people around the world, including in areas where people have limited or restricted access to the internet or smartphones, like large parts of the global south, can continue to access these platforms.”

Usability and access issues are important to work out slowly and deliberately, Gleicher says, because his team has made the decision to stand firm on mandatory two-factor for Facebook Protect. Users can choose to enable the additional defense using a number of second-factor options, including authentication apps and physical security keys. Accounts enrolled in the program will receive numerous prompts over time to enable the protection, but if account owners don’t turn it on they will eventually lose access until they do.

“I think it’s very reasonable for companies to make a risk-based business decision to require 2FA for certain things,” says Jim Fenton, an independent identity privacy and security consultant. “Services should continue to look at authentication risks and require 2FA where needed. Hopefully this includes enough consideration of the risks to the user and not just to the service itself.”