“Make being secure effortless”
Facebook is committed to empowering people to collaborate freely, create new ideas, and roll out new products and services quickly — but without putting security at risk. “Some companies just want to dictate a security solution and be done with it. But we have a bunch of smart people working here and if security gets in their way, they will just figure out a way around it. So our ultimate goal is to make being secure effortless,” said Flynn.
The Facebook development team uses the SSH protocol to enable secure remote connectivity to the development environment. Engineers initiate thousands of SSH development sessions per day, so the 2FA solution needed to work with several SSH authentication mechanisms without creating barriers to access or leaving security gaps.
“Protecting against remote attackers is a constant challenge, because once they gain access, they can move laterally through the organization to get the data they want. We wanted a 2FA solution to prevent that lateral movement, so if an engineering laptop gets compromised, the attackers can’t pivot into the production environment and access critical data,” said Flynn.
The team analyzed several options for 2FA. One-time passwords (OTPs) couldn’t support engineers who need to access the development environment thousands of times per day. “We can’t expect developers to pull out their phone to type in an OTP every time they log in. It just creates an unacceptable amount of friction,” said Flynn.