Making security effortless for employees

Balancing usability and security.

Industry

Technology

Protocols

U2F

Products

All YubiKey Form Factors

Deployment

Employees

About Facebook

Since its founding in 2004, Facebook has evolved from a small social networking service to one of the world’s biggest distributors of news and online ads. This massive transformation would not be possible without thousands of Facebook developers and employees who constantly strive to improve the overall user experience, digital security, and community discourse across the entire platform.



Implementing strong security that doesn’t get in the way of work

It’s no secret that Facebook’s access to the personal information of billions of people has made it a highly valuable target for cyberattacks. As a part of the company’s ongoing security strategy, the engineering team wanted to implement strong two-factor authentication (2FA) for their development environment. The solution not only needed to scale to thousands of developers, but also enable seamless security without interrupting workflow. After a lengthy search process, Facebook chose the YubiKey 4 Nano, which was deployed to thousands of developers within a matter of months. Once the engineering team proved the YubiKey could meet all of their complex requirements, Facebook deployed YubiKeys across the entire company.



“Make being secure effortless”

Facebook is committed to empowering people to collaborate freely, create new ideas, and roll out new products and services quickly — but without putting security at risk. “Some companies just want to dictate a security solution and be done with it. But we have a bunch of smart people working here and if security gets in their way, they will just figure out a way around it. So our ultimate goal is to make being secure effortless,” said Flynn.

The Facebook development team uses the SSH protocol to enable secure remote connectivity to the development environment. Engineers initiate thousands of SSH development sessions per day, so the 2FA solution needed to work with several SSH authentication mechanisms without creating barriers to access or leaving security gaps.

“Protecting against remote attackers is a constant challenge, because once they gain access, they can move laterally through the organization to get the data they want. We wanted a 2FA solution to prevent that lateral movement, so if an engineering laptop gets compromised, the attackers can’t pivot into the production environment and access critical data,” said Flynn.

The team analyzed several options for 2FA. One-time passwords (OTPs) couldn’t support engineers who need to access the development environment thousands of times per day. “We can’t expect developers to pull out their phone to type in an OTP every time they log in. It just creates an unacceptable amount of friction,” said Flynn.


“Facebook is a very fast paced environment and we needed technologies that would allow us to maintain that pace. Because of the ease of use of Duo Security and Yubico authentication technologies, we have seen minimal support and overhead costs. Other technologies, such as traditional OTP-based hardware tokens, smart cards, and biometrics didn’t fully support our need to allow multiple and rapid logins to SSH sessions.”

—John “Four” Flynn, Information Security Manager


Secure enough for developers, scalable enough for global deployment

Ultimately, the YubiKey 4 Nano combined with ecosystem partner Duo met the Facebook team’s requirements for a 2FA solution that could be deployed quickly, support scalable and frequent use across multiple devices, and enable strong authentication every time a developer logs into a server. Because the YubiKey 4 Nano stays connected to the device, the developer simply taps the key to authenticate, which is significantly faster than typing in an OTP thousands of times per day.

After successfully deploying the YubiKey to the engineering team, Facebook then deployed YubiKey-enabled 2FA to the rest of the company. “When you have a two-factor system that’s good enough to use for every single SSH access instance, it’s easy to roll it out on your email system and VPN,” said Flynn.

In addition to employees, Facebook also supports YubiKey authentication to help billions of users prevent fraud, account takeovers, and data theft from highly persistent attackers — helping to ensure the platform’s integrity and security for everyone who uses Facebook every day.