- Facebook will now support the addition and use of hardware security keys on iOS and Android apps.
- This is a big step towards stronger security, and people should embrace the option.
- Hardware keys come with their own set of complications, mostly revolving around losing them.
Facebook has announced that its mobile apps on iOS and Android will now support the use of physical security keys used for account authentication. The social media platform has supported this tech on the desktop since 2017 - so it took them a while to expand it to the mobile space, but it could be because there weren’t enough people asking for it until recently. Whatever the case, you can now set up and use a hardware security key on your Facebook app.
These USB-C or Bluetooth keys are meant to replace SMS codes or the authenticator app that provides one-time-codes for secure logins. When it comes to SMS, we know that it’s not the safest method of two-factor authentication, so it should only be used when there is no other option available.
The authenticator apps are better, but if someone holds your device, they will be able to get the code and enter it on the app. The hardware keys are a lot more secure in the sense that the owner is holding them separately from the smartphone, maybe in a pocket or on the keychain.
If you own a security key, go ahead and set it up on the "Security and Login" section of the Facebook app’s settings menu. If you need more details about how that works and how to add one, check out this detailed guide on Facebook’s Help Center. In general, we strongly recommend that you secure your account with a security key, but there are some things to remember before you go ahead and buy one.
Being a physical dongle, these keys can get lost or stolen. In that case, if you haven’t set up a second key stored somewhere safe, you could get locked out of your account. Alternatively, you can set up a second 2FA method based on an authenticator app or SMS again.
When you set these up, though, you are again creating the potential for malicious access by someone who will attempt to trick the system into falling-back to these account recovery options. It still won’t be easy for the attacker, but it’s not as safe as relying solely on physical security keys.