About Facebook

Founded in 2004, Facebook’s mission is to give people the power to share and make the world more open and connected. People use Facebook to stay connected with friends and family, to discover what’s going on in the world, and to share and express what matters to them.

Facebook Security Architect explains in a presentation filmed at Security@Scale in February 2014 why the company chose the YubiKey Nano as part of their internal two-factor authentication deployment. Please watch the 30 min video or read the written summary of the presentation below.


YubiKey Nano, Facebook’s Internal 2FA Solution

Facebook is proud of its internal culture, specifically the rapid and fast moving mantra of its engineering department.  Security is a top priority at the company and with thousands of engineers, it was a necessity for Facebook to provide a new secure authentication solution specially targeted to protect engineering SSH sessions.

The goal of the project was simple, provide a solution that allowed these employees to do their jobs (at Facebook’s rapid speed) without any roadblocks — making security as effortless as possible.  Traditionally, problems can arise when introducing new security measures, which can create friction and be a time distraction, which was the main point Facebook needed to avoid.

Every day, Facebook engineers log in (thousands upon thousands of times) to development servers for SSH sessions to write code, test projects and troubleshoot programming.  When looking at the current authentication landscape, Facebook needed a tool that fit the following requirements; support very frequent uses, flexible deployment options, strong authentication for every session, fast deployment across the engineering teams, and minimal overheard and support.

The company reviewed several authentication technologies, including OTP, biometrics, and smartcards, but with the frequency of engineering logins, these slower techniques and time consuming forms of authentication would prove not adequate for Facebook’s requirements.

After careful consideration, the company looked to the advanced authentication from both Duo Security and Yubico. When coupled together, the respective technologies successfully addressed Facebook’s authentication priorities — placing equal emphasis on usability and security.

This complementary combination of two-factor technologies includes multiple authentication methods — push, SMS, mobile, voice — supported by cloud-based authentication from Duo Security and the YubiKey Nano device from Yubico.  Measuring just 10mm x 11mm x3mm, the YubiKey Nano is the world’s smallest authentication device.   It is designed to stay inside the USB-slot once inserted and works on any computer that supports USB , and does not require  client software.

Facebook is utilizing YubiKey Nano to provide a second-factor authentication for SSH to protect against remote hackers while ensuring that the legitimate user is present at their machine. The concept of user presence on each laptop is extremely important as it eliminates the threat of external attack, by guaranteeing there is a person at the keyboard and not a remote, outside hacker.

Authentication couldn’t be easier with the YubiKey Nano and it was quickly adopted by Facebook engineers.  To authenticate, users simply press the device (which registers as a keyboard and proves user presence) and a passcode is instantly and automatically entered, there is no need to physically re-type passcodes.

Highlighting Facebooks need for fast deployment, the start to finish implementation of Duo and Yubico technologies lasted only a couple months (mirroring Facebook’s engineering culture).  Furthermore, since the initial deployment with company engineers, internal authentication has been rolled onto the Facebook email system, company-wide.

A highly effective deployment and new approach to two-factor authentication, Facebook has presented on the success of the two-factor solutions at Security@Scale and was featured in Wired magazine.

Find out more about YubiKey for Businesses