Facebook will soon start enforcing a new two-factor authentication (2FA) rule for people with high-risk accounts. The mandate will specifically apply to accounts covered under the Facebook Protect enhanced security program, which was set up to guard the interests of government officials, journalists, human rights activists, and other people who are likely to be appealing targets to hackers and other cybercriminals.
At the moment, just over 1.5 million accounts are covered under the Facebook Protect program. However, that number is expected to increase in the coming year. Facebook Protect will be offered in more than 50 countries before the end of the year, and will expand beyond that in 2022. Just under two-thirds (around 950,000) of those 1.5 million accounts have already enabled 2FA, but Facebook is making it mandatory to make sure that they can provide a higher level of security for its most vulnerable users.
“2FA is such a core component of any user’s online defense, so we want to make this as easy as possible,” said Facebook Security Policy head Nathaniel Gleicher. “To help drive wider enrollment of 2FA, we need to go beyond raising awareness or encouraging enrollment. This is a community of people that sit at very critical points in public debate and are highly targeted, so for their own protection, they probably should be enabling 2FA.”
The new policy will not go into effect immediately, so high-risk Facebook Protect users who have not yet activated 2FA will have a grace period in which to do so. Those who fail to implement 2FA will eventually be locked out of their accounts, but will be able to recover them once they activate the feature. In the meantime, Facebook plans to begin its Facebook protect rollout in countries that have the necessary infrastructure, and in countries that have upcoming elections that could be facing more cybercriminal activity.
In addition to 2FA, Facebook Protect provides ongoing account monitoring that watches for potential cyberthreats. While Facebook advocates for the use of 2FA, the company is not currently planning to make the stronger authentication standard mandatory for regular user accounts.
Earlier this year, Yubico gave away 25,000 YubiKeys to high-risk journalists and politicians through the Microsoft AccountGuard program. Facebook recently indicated that it will reduce its use of facial recognition, and has previously allowed iOS users to secure the Facebook Messenger app with biometric Face and Touch ID.