All posts in “2fa”

Facebook didn’t mean to send spam texts to two-factor authentication users


Facebook Chief Security Officer Alex Stamos apologized for spam texts that were incorrectly sent to users who had activated two-factor authentication. The company is working on a fix, and you won’t receive non-security-related text messages if you never signed up for those notifications.

Facebook says it was a bug. But calling it a bug is a bit too easy — it’s a feature that was badly implemented as it’s clear that Facebook has been treating all phone numbers the same way. It doesn’t matter if you add your phone number for security reasons or to receive notifications. Facebook put all of them in the same bucket. It’s poor design, not a bug.

“It was not our intention to send non-security-related SMS notifications to these phone numbers, and I am sorry for any inconvenience these messages might have caused,” Stamos wrote. “We are working to ensure that people who sign up for two-factor authentication won’t receive non-security-related notifications from us unless they specifically choose to receive them, and the same will be true for those who signed up in the past. We expect to have the fixes in place in the coming days. To reiterate, this was not an intentional decision; this was a bug.”

And yet, this is particularly bad because it creates a bad narrative around two-factor authentication. While Facebook lets you use a code generator mobile app or a U2F USB key, many people rely on text messages for two-factor authentication. It’s a second layer of security so that strangers who have your password can’t connect without the second factor.

Everyone should enable two-factor authentication. But people might hesitate now that they know Facebook has used a security feature to improve engagement in the past. I’d recommend turning it on with a code generator.

Does it mean tech publications shouldn’t have shared this information? Of course not (and I’m looking at you, former Facebook security engineer Alec Muffett). If nobody had written about the issue, Facebook would still be spamming users and sharing great engagement numbers in its quarterly earnings release.

The fact that Facebook poorly implemented a security feature is… Facebook’s fault.

In addition to that, Facebook is also disabling posting to Facebook via text messages altogether. Earlier this week, a tweet went viral as Gabriel Lewis tried disabling those text notifications and ended up sharing posts on Facebook:

The company says that this feature may have been useful at some point when smartphones were less popular, but there’s no reason to keep it around now.

Featured Image: Facebook

Facebook is so desperate for engagement, it’s spamming users via their 2FA numbers

Please, please come back.
Please, please come back.

Image: Justin Sullivan/Getty Images

Facebook is feeling lonely these days. 

The social media behemoth has seen a decline in traffic in recent weeks along with millions of users leaving its platform, and it appears to be taking rather drastic measures to win them back. Specifically, spamming the hell out of them in a most unfortunate place. 

So says one account holder, Gabriel Lewis, who tweeted that Facebook texted “spam” to the phone number he submitted for the purposes of 2-factor authentication. And no, he insists he did not have mobile notifications turned on. 

What’s more, when he replied “stop” and “DO NOT TEXT ME,” he says those message showed up on his Facebook wall.

Lewis explained his version of the story to Mashable via Twitter direct message. 

“[Recently] I decided to sign up for 2FA on all of my accounts including FaceBook, shortly afterwards they started sending me notifications from the same phone number. I never signed up for it and I don’t even have the FB app on my phone.”

Lewis further explained that he can go “for months” without signing into Facebook, which suggests the possibility that Mark Zuckerberg’s creation was feeling a little neglected and trying to get him back. 

According to Lewis, he signed up for 2FA on Dec. 17 and the alleged spamming began on Jan. 5. 

A screengrab showing when Lewis first signed up for 2FA on Facebook, and the beginning of the alleged spam.

A screengrab showing when Lewis first signed up for 2FA on Facebook, and the beginning of the alleged spam.

Image: Gabriel Lewis

We reached out to Facebook to find out just what, exactly, is going on here. Is this some kind of bug? Perhaps a limited test? We have received no response as of press time. 

Importantly, Lewis isn’t the only person who claims this happened to him. One Facebook user says he accidentally told “friends and family to go [to] hell” when he “replied to the spam.” 

This doesn’t look good for for Facebook. Zeynep Tufekci, a self-described technosociologist, professor at UNC, and frequent Facebook critic, voiced some particularly strong concerns.  

As far as Lewis is concerned, Facebook attempts to woo him back have more or less backfired. “I feel like they are constantly pushing me to come back to the service but this is not the way to do it.”

After all, no one likes a desperate ex. 

[embedded content]

Reddit adds 2-factor authentication for all


Reddit has finally joined other major web properties in adding two-factor authentication for all users. It’s been available for mods and some testers for a while, but this is the first time the vast multitudes of redditors will have access to it.

Turn it on and you’ll have to enter a six-digit code sent to your phone whenever you have a new login attempt. You’ll need Google Authenticator, Authy, or any TOTP-supporting auth app — texting codes is no longer recommended (and really, it was always a bad idea).

There’s not much to setting it up: go into the password/email area of the site’s preferences once you’ve logged in on a desktop browser. Enable two-factor authentication and follow the instructions.

Now, this may be a problem for power users, who might have trouble switching between the one they use for ordinary browsing and the one they use to post racist comments on every post they can, or the one they use to vehemently disagree with a headline without reading the article. But that’s the price of security.

Featured Image: REUTERS/Robert Galbraith

Apple’s going to mandate 2-factor authentication, so you better get used to it now

Apple’s trying its hardest to protect the security of your account — whether you like it or not. 

In an email sent out in the early hours of June 6, the company confirmed that going forward it will mandate the use of 2-factor authentication (2FA) for many of its services. 

“If you install the iOS 11 or macOS High Sierra public betas this summer and meet the basic requirements, your Apple ID (xxxx@xxxx.com) will be automatically updated to use two-factor authentication,” reads the email. “This is our most advanced, easy-to-use account security, and it’s required to use some of the latest features of iOS, macOS, and iCloud.”

To be clear, this means that it’s not just early adopters downloading public betas of iOS 11 and High Sierra that will be required to use 2FA, but rather everyone that wants access to all the hot new features.   

And what is 2FA, you ask? Two-factor authentication is a basic security measure which requires two pieces of information for a user to access his or her account. Think of taking cash out of an ATM machine. You need your physical bank card (“something you have”), and your PIN (“something you know”). Only with both those keys can you get your cash. 

That High Sierra goodness.

That High Sierra goodness.

Image: apple

With email, 2FA frequently manifests as your account password (“something you know”) and a random code sent to you either via SMS or an authenticator app (“something you have”). With these two elements required to gain access to an online account, it is much harder for hackers to gain unauthorized access. 

“Once updated, you’ll get the same extra layer of security you enjoy with two-step verification today, but with an even better user experience,” the email continues. “Verification codes will be displayed on your trusted devices automatically whenever you sign in, and you will no longer need to keep a printed recovery key to make sure you can reset a forgotten password.”

So, whose Apple IDs will be automatically updated to 2FA? We reached out to Apple to determine if it’s just people downloading the public betas, or if the same requirements will apply to everyone downloading iOS 11 and High Sierra later this year. Unfortunately, we received no response as of press time. 

Either way, with Apple stating that 2FA is required to use “the latest features of iOS, macOS, and iCloud,” it’s clear the company is making a hard push toward better account security. 

So go ahead and update those security settings now — before Apple does it for you. After all, medicine’s always easier to swallow when it’s not being shoved down your throat. 

Https%3a%2f%2fvdist.aws.mashable.com%2fcms%2f2017%2f6%2fdbf25738 af8f c133%2fthumb%2f00001