Two-factor authentication or 2FA is often hailed as the safe compromise to humans’ seemingly innate ability to be very bad at passwords. But not all 2FA methods are created equal and some, particularly SMS, are seen as liabilities more than assets. Especially when put in the hands of Facebook. Now the social network giant is cleaning up is mess by finally allowing the use of theoretically safer authenticator apps when logging into your precious Facebook account.
Two-factor authentication takes its name from the fact that you need two things to authenticate your identity to a service. The first one is something you know, often a password or PIN. The second factor is something you have, like a phone number, an email address, or even a body part. That second factor often involves sending a one-tip PIN or code that you enter in addition to the password. At least if your fingerprint, iris, or face isn’t used.
That process hints at why SMS has become less trusted in 2FA circles. SMS technology is old. So old that it doesn’t use encryption. It can be intercepted and read by a third-party, nullifying the benefits of 2FA. And should your phone fall into the wrong hands, there’s little way for you to revoke that number (except through your carrier).
Naturally, Facebook made SMS-based two-factor authentication a bit more dramatic. Last February, it was discovered that a bug in Facebook’s system caused it to send regular Facebook status updates and posts to the phone numbers that users provided for 2FA. Replying to that number, in turn, posted those replies on users’ timelines. This was in violation of not a few laws though, fortunately for Facebook, the recent Cambridge Analytica affair bought it time to clean up its act.
So now Facebook will no longer require a phone number to authenticate logins, though users can still opt to do so (the bug has reportedly been fixed already). Users can now employ apps like Google Authenticator instead, which are encrypted and commonly regarded to be safer than SMS. Those may have their own little problems, but nothing as big as SMS or, worse, easy to guess passwords.