Gartner Blog Network

Facebook and the Derpness of Enabling Their 2FA

by Ben Tomhave  |  December 1, 2014  |  Comments Off on Facebook and the Derpness of Enabling Their 2FA

I was awoken around 5am post-Thanksgiving Saturday by multiple text messages from Facebook instructing me to click a link and enter a code to reset my password. It seems someone decided to try and takeover my account. This led me to conclude that now would be a good time to quit putting-off enabling 2-factor authentication (2FA) for my account. What should have been a very simple process was complicated (slightly) by a degree of true derpitude: in order to enable 2FA for my account, Facebook first insisted that I change my browser configuration (or use a different browser) that wasn’t set to clear cookies after each session. I received the following error/explainer:


This message annoyed me greatly, for three reasons.

1) Why was I being asked to reduce the security settings on my browser in order to increase the security on my account?

First and foremost, this is just plain stupid. Clearing my cache is a /good/ thing, which all of you should do on a regular basis. It helps improve your privacy (to a small degree, anyway). It helps keep the web site content you’re accessing correct and fresh (we still see some cache issues when sites are updated). More importantly, though, is that I should never be asked to decrease my security and privacy settings in one area just to improve my security in another area. Which leads me to…

2) Why the erroneous implied correlation between cookies and 2FA?

Clearly, there are two concerns driving this behavior by Facebook: usability and trackability. In the first case, I would imagine they foresaw (or maybe actually saw) an uptick in frustration with logging into the site and having to use a one-time-code each time. They may also have viewed it as a usability issue that could be eased by storing a permanent cookie. However, let’s be honest… if I’m enabling 2FA, it’s because I want that second out-of-band factor there pretty much every single time.

Which leads me to believe that there is, in all likelihood, a more nefarious and profit-driven motive behind not allowing me to enable 2FA without also allowing them to set long-term (or permanent) cookies: advertising and tracking. By setting a permanent cookie, they can help “improve” usability while also getting a long-term tracking device well-embedded within my browser, which carries over to more than just their own site (read this article for more on the extensive tracking their doing). Facebook is a commercial business, and publicly traded to boot, so they need to be able to grow their business and show value for stakeholders. I understand /why/ they would want to track, but… they also need to honor “do not track” decisions be users (see EFF’s coverage of the topic).

These considerations aside, though, leads me to a more important usability question…

3) Why not warn instead of preventing 2FA until one relents and adopts the weaker settings (at least temporarily)?

It seems rather heavy-handed to outright prevent users from enabling 2FA until they reduce their security settings in their browser. I understand advising people of the potential usability issue (“if you don’t change your cache settings, then you’ll be prompted for a code every single time you login”). But, why prevent it altogether? To me, that seems to send the wrong messages to users. We want them to enable 2FA! As important as Facebook has become in social and professional circles, the thought that extra hoops must be jumped through to improve account security is a bit asinine.

Also, interestingly and as expected, the weaker browser settings are /not/ required in order to use 2FA and have a normal experience. I went through the step of using a weakened browser config in order to jump through their hoop, and then immediately cleared cache and reverted my settings, and had no problem whatsoever logging into my account using a one-time-code. As such, it seems clear that this is less about usability and more about profit motive, which is a lousy message to send to customers.

At the end of the day, Facebook is an easy target, but they’ve seemingly handily won the social media platform competition. However, it concerns me greatly when a major player in the online space does patently silly things like increasing the difficulty of enabling 2FA on accounts. The secure choice should be the easy choice, and that certainly is not the case today for Facebook’s 2FA. Which is not to say it’s super-difficult to enable it; just that it’s harder than it needs to be and, for less tech-savvy users, I’m going to go out on a limb and guess that encountering this message would be enough to stop someone from proceeding further to get 2FA enabled.

Hopefully Facebook Security will wake up and correct this situation. There’s no reason security and usability can’t be complementary. There’s no reason that the secure choice can’t be the easy choice. For most people (IE and Safari users under default configs), this is likely a non-issue. However, that means they’re almost being openly antagonistic with more advanced users, and to what end?

Well, enough ranting on the topic… suffice to say, forewarned is forearmed, and if you’re looking to enable 2FA on your Facebook account, don’t be surprised by this little hiccup.

Additional Resources

View Free, Relevant Gartner Research

Gartner's research helps you cut through the complexity and deliver the knowledge you need to make the right decisions quickly, and with confidence.

Read Free Gartner Research

Category: common-sense  

Ben Tomhave
Research Director
1 years at Gartner
19 years IT Industry

Ben is conducting research within the Security and Risk Management Strategies team under Gartner for Technical Professionals.

Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.