It’s been almost a year since I volunteered to give my readers my Google password, after enabling 2-step verification that is. I ended the blogpost on that topic with
And now off to Facebook security settings, to enable login notifications & approvals.
And although I did activate “login notifications” at that point, I did not enable approvals (for reasons I don’t remember, maybe I was just being lazy).
Fast-forward to yesterday evening, when I received a mail from Facebook that stated that my account was temporarily locked because my is was logged into from a location I had never used before. I immediately changed my password and finally enabled “login approvals” this morning as well. “Approvals” sends a security code via SMS when logging in from an unknown location, which you’ll have to enter before effectively logging in. I was pleasantly surprised to see Facebook added a Google Authenticator-like code generator to their Android and iOS apps that you can use to generate a security code as well. Adding the extra security of login approval is easy enough. If you’re on Facebook or Google, you really should consider enabling those (with or without their respective smartphone-based security code generators).
One downside though; using an external chat client (Mozilla Thunderbird in my case) to access Facebook Chat over XMPP doesn’t work any more as Facebook doesn’t provide “application specific passwords” like Google does. Update: as Jensen points out in the comments below Facebook does have application passwords, so I reenabled Facebook Chat in Thunderbird. But that might be a good thing anyway, as the warning mail I received from Facebook seems to refer to the use of Facebook chat over XMPP;
It looks like someone logged into “Rtgw_xmpp_username_password_
login” on Wednesday, November 14, 2012 at 9:04pm.
Not 100% sure if this was a real login attempt or a false positive, but apparently I’m not the first one to receive such a warning.
As I was reading your article I enabled two-step authentication on Facebook myself, and I noticed they do provide App Passwords.
On the security settings page, below the log-in approvals there’s a section called “App Passwords”.
That’s great, thanks Jensen!!
Activated this as well. I am now worried that I will loose my phone just at the moment my 30 days expire on my laptop and I won’t be able to login to Facebook anymore.
Those 10 printed codes I got with my Google two-step verification somehow seem like a good idea now. Doesn’t Facebook do this?
Well, you could generate a couple of app passwords and write those down. Those should allow you to log in without login approval, upon which you’d be able to deactivate login approval?
That does not seem to work for Facebook. I think the app passwords only work for those apps?
darn, and form an app you can’t change the “login approval” settings, so you’re blocked. this is what facebook has to say on the subject:
I use Two-Factor Authentication across a lot of my accounts. I feel a lot more secure when I can telesign into my account with an OTP. I am glad that is offered as an option for many sites, but not enough. It is worth the time and effort to have the confidence that your account won’t get hacked and your personal information isn’t up for grabs. It would be nice to see more of the leading companies in their respective verticals start giving their users the perfect balance between security and user experience. I know some will claim that 2FA makes things more complicated, but the slight inconvenience each time you log in is worth the confidence of knowing your info is secure. I’m hoping that more companies start to offer this awesome functionality. To me this should be a prerequisite to any system that wants to promote itself as being secure.
I got one today, and my thunderbird is logged in from months anyway.
as soon as I saw xmpp I knew it was thunderbird… BUT the issue was that facebook seemed to report some private ip with it… and I am not using that same subnet of private ip.
Makes me wonder if someone else did log in.. Anyway changed password and now im going to put that 2 step in.
Hi Krish; I suspect the private IP is an indication this is a Facebook-internal problem, with the XMPP-gateway server(s) (on the private IP) sometimes being blocked from logging in on the Facebook-authentication platform.
i lost my phone can not access my Generation code to my Facebook account, pls help
you’ll have to contact facebook.