Skip to main content

You can now use NFC to lock down your Facebook page

You can now use NFC to lock down your Facebook page


A new kind of two-factor authentication

Share this story

If you buy something from a Verge link, Vox Media may earn a commission. See our ethics statement.

facebook app icon

Today, Facebook announced support for security keys, giving users the chance secure their logins with a physical device. Alongside the standard setup, Facebook also built support for a more experimental NFC login system, the first major deployment of its kind.

“The APIs to do this are still pretty new.”

Security keys work as part of Facebook’s two-factor authentication system, which adds a second layer of defense in case a user’s password is compromised. Usually that second factor is a string of numbers sent over text or an on-board app, but the security key makes it a physical device, a smart USB drive inserted into the computer whenever you log in. To make it work, you’ll have to buy a device and carry it with you at all times, usually on a keyring, but the end result is easier and faster than waiting for a code over SMS. A number of services already support security keys under the FIDO specification, including Google, Dropbox, and GitHub.

According to Facebook security engineer Brad Hill, the goal was to provide more options for two-factor logins. “We’re just looking to provide a diversity of tools so that everyone can find something that’s right for them,” Hill told The Verge.

Facebook’s new setup also adds short-range wireless signals to the mix, taking the traditional security key system one step further. Yubico’s newest keys can transmit data over NFC frequencies, a band already used for payments and other sensitive data. Yubico’s NFC key is meant to bring the same two-factor protections to mobile devices, which typically don’t have USB ports.

Facebook security key

Facebook is the first major platform to support the NFC system, although availability is still spotty. It’s only available on Android, and users will have to login through the mobile site rather than the app itself. The setup also requires the most recent version of the Google Authenticator app. “Right now the APIs to do this are still pretty new,” Hill explains. “There aren’t native APIs yet in Android for an app to take advantage of.”

The resulting system is unlikely to be widely used, but it’s a glimpse of what two-factor protections could look like on a mobile device, a future that Hill and others at Facebook seem eager to reach. “We’re looking forward to other methods like Bluetooth,” says Hill.