Securing your Facebook account with Two Factor authentication

Sunday, 16 April 2017

One in a series of posts on Facebook Security and Privacy

You should consider enabling Two Factor Authentication (often shortened to 2FA) for logging in to Facebook. This means in addition to having a unique password for Facebook (that you don’t use for any other online services), you also have to enter a (usually) 6 digit code (or receive a SMS text message) to confirm that it really is you signing in.

The two factors in “two factor” are 1) your password and 2) the 6 digit code.

The clever thing is that the 6 digit code changes every 30 seconds, so it’s no good writing it down as it will be out of date very quickly.

If you have a smart phone or tablet

  1. Install an authenticator app on your device.
    I recommend (and use) the Microsoft Authenticator app (which is available for iOS, Android and Windows Phone), but there’s other options including Google Authenticator and Authy.
  2. Open Facebook in your web browser (preferably on a different device to your smartphone)
  3. Go to Settings, then Security and then Login Approvals
    Facebook Security Settings
  4. In the Code Generator section, click on third-party app.
  5. A QR Code (like a barcode) appears.
  6. On your smartphone, open the Microsoft Authenticator app
  7. Click on ‘+’ to add a new account
  8. Choose Other
  9. Hold your smartphone in front of your computer’s web browser so that the phone’s camera can scan the QR Code.
  10. It should automatically scan the code and add a new account entry for Facebook. eg.
    Microsoft Authenticator
  11. Note the 6 digit number now being displayed on your phone.
  12. Also notice there’s a countdown timer displayed next to this number. When this timer reaches zero, the number will expire and a new number will be displayed.
  13. Switch back to your web browser and enter this number in the confirmation field and press Confirm
  14. Click Enable to allow Login Approvals.
  15. Click on Get Codes
  16. Enter your password
  17. Print out these codes and keep them in a safe place. You can use these codes as a last resort if you lose access to the Authenticator app (eg. your phone drops in the toilet)
  18. It is also a good idea to provide your mobile phone number as a fall back in case you lose access to the Authenticator app (eg. you accidentally deleted it).

From now on, each time you log in to Facebook from a new device you will need to provide the current 6 digits from the Authenticator app as additional proof of identity. If you use some devices regularly, you can then choose not to require two factor authentication in the future.

If you use the Facebook App on your device, that can also function as an authenticator app. The downside to using this is that it only works for Facebook, whereas an app like Microsoft Authenticator can work with many online services.

These include Amazon, Dropbox, Facebook, GitHub, Google accounts, Microsoft Accounts, Mailchimp, Twitter and others. Always choose to enable 2FA for any online services you use. Many banks and financial institutions are also using similar systems.

If you have a mobile phone

  1. Open Facebook in your web browser (preferably on a different device to your smartphone)
  2. Go to Settings, then Security and then Login Approvals
  3. In the Text message (SMS) section, if there is no number listed click on Add phone number
  4. Follow through confirming the phone number

From now on, when you log in to Facebook you’ll receive a SMS text message with a code. You’ll then need to provide that code in addition to your password. If you use a device regularly, you can tell Facebook not to prompt for 2FA again.

Using 2FA with text messages is much better than not using 2FA at all, but it isn’t quite as secure as using an authenticator app. If you can’t use an app then do enable 2FA using SMS. Some services even support non-mobile numbers by reading out the code instead of as a text message.

You just received a friend request on Facebook from someone who’s already a friend

Sunday, 16 April 2017

One in a series of posts on Facebook Security and Privacy

First off, don’t panic! Almost certainly your friend has not “been hacked”. Instead an annoying person has just created a new Facebook account and copied your friend’s profile picture and name, and is presumably now going through their friend list asking to become friends.

What can you do?

Use the Facebook “Report” function to let your friend know.

  1. Open the fake profile page (Just click on the name. Don’t click on Confirm Request!)
  2. Click on the ‘…’ button (to the right of the Message button), then click Report.
    Facebook Report
  3. Select Report this profile and click Continue
  4. Select They're pretending to be me or someone I know and click Continue
  5. Select Someone I know and click Continue
  6. Select Message your friend
  7. Type in your friend’s name. Your friend’s existing Facebook profile should be listed.
  8. Click Send.
  9. You friend will receive a Facebook message with a link to the offending profile and they can follow it up by reporting it to Facebook.

If you’re particularly concerned, at step 6 you can also choose Submit to Facebook for Review. You will then be asked to select your friend’s real Facebook profile and send it off to Facebook.

Facebook security and privacy

Sunday, 16 April 2017

I’ve had a number of friends on Facebook suffer the annoyance of having ‘fake’ accounts using the same name and profile picture to impersonate them and contacting all their friends asking to be friends.

It’s frustrating and annoying for everyone concerned. The victim who is being impersonated often also wonders if their Facebook account “has been hacked!”. Usually this is not the case, but I thought it would be helpful to write down some suggestions to help reduce the risk and help you feel more safe using Facebook.

Topics in this series:

Let me know in the comments if there’s anything else I should cover.

MVP Community Connection 2017

Tuesday, 4 April 2017

Microsoft SignageFriday morning I took the day off of work so I could fly over to Sydney to take part in a gathering of Australian Microsoft MVPs. Friday afternoon there was a networking/”unconference” event held at Microsoft’s North Ryde campus.

 

Microsoft, North Ryde

Later we travelled back to Darling Harbor to have some fun at Strike, trying out their Escape Rooms (lots of fun).

Darling Harbour

The next morning we gathered for breakfast followed by a full day of speakers and workshops. Everyone got these really nice cards of appreciation with personalised Lego mini-figures. Not sure that my hair is brown, but then I’m not really sure what colour it is – the days of being blonde, or even ‘dirty’ blonde are well behind me Smile

Card with "Thankyou for being awesome"

During the afternoon, I was asked to do a short presentation about running a user group. I can tell you I was more than a little bit nervous getting up in front of such an experienced group of people, but I think it went ok.

Early Sunday morning, I flew back home. All in all a great time catching up with friends and learning a lot.

Richard’s Technical Debt

Saturday, 25 February 2017

These are my notes from listening to the recording of Richard Banks’ talk The Technical Debt Prevention Clinic that he gave recently at the Microsoft Ignite Australia 2017 conference.

TL; DR - This is a really compelling talk. Go watch it, and share it with your colleagues!

My notes and highlights follow. These are not a substitute for watching/listening to the talk, and the best thing (if you ever get the opportunity) would be to see Richard deliver this in person.

Technical debt

Refactoring

Feature flags

Preventing

Code Reviews (suck)

Other tips

Conclusion

Technical debt can be a good thing, but bad code never is.