At Facebook, some employees can log into machines with the tap of a Yubikey. Photo: Josh Valcarcel/WIRED
October has always been John Flynn’s favorite time of year, but this year, it’s even better. He gets to spend the month trying to hack into a fleet of Facebook computers equipped with a new kind of security tool — a tool that takes computer security beyond the password.
Since jumping to Facebook from his job at Google a few years ago, Flynn has been part of the Facebook security team that masquerades as bad guys during the month of October, doing their best to bust into the corporate network that underpins the social networking giant. They call it “Hacktober,” and the idea is to find the holes where the real bad guys might attack the company. Last year, Flynn and other Facebook security engineers created a fake news story designed to spread a computer worm around the network.
Flynn — who goes by the nickname “Four” — won’t say what’s in store for Facebook’s employees this October, but one thing seems certain: Hacking them is going to be that much more of a challenge. Over the past year, the company has equipped many employee systems with Yubikeys, a little pieces of hardware that let employees securely log into machines with the tap of a finger. This nifty tool can make it that much harder for hackers to bust into a corporate network and do whatever they want — even if the hacker manages to take command of an authorized network machine.
The company that makes Yubikey says that the device has been picked up by seven of Silicon Valley’s biggest companies, and Facebook is the second big-name web company to publicly get behind the device. Earlier this year, a group of Google researchers endorsed the thing, saying they were fed up with passwords. Passwords aren’t just a pain to type. In the end, they provide a limited amount of security.
John Flynn. Photo: Facebook
At the time, Google said it was studying whether it could replace passwords — or at least enhance them — with the Yubikey, a sliver of hardware that slides into the USB port on the side of your laptop. Basically, you can set things up so that you can’t log-in to a machine or a network unless the Yubikey is there and you tap on it.
Facebook likes the devices because they add a second level of security to the Facebook network. If the average Facebook employee wants to read her email, she’ll still have to log into her corporate account with a username or password. But if she tries it in from someplace new — China, for example — Facebook will ask that she tap on her Yubikey too. If that’s not available, she can use a security app on her phone, called Duo. That’s how Facebook ensures that nobody’s breaking in with a stolen password.
As far as Flynn is concerned, this shows how it’s possible to tighten up security without making things harder for workers. “It’s added another layer on top of all the other ways that people do authentication internally,” he says.
About a year and a half ago, Facebook made this kind of enhanced security available to the one billion people who use its social network. The company calls this Login Approval. But Facebook users do it with a mobile phone, not a Yubikey. “We wanted to add that kind of feature to some of our internal systems as well,” says Flynn. “The main driver was really just wanting to find a way to do better security internally.”
At first, they tried out the keys with company engineers. But now it has been rolled onto the Facebook email system, company-wide.
“What we’ve found is that our engineers who do a high volume of authentication really like the Yubikey for its ease of use features,” Flynn says. Other users prefer the Duo. “We’ve found that users in our sales or marketing organization really like the application on their phone,” he adds.
The change wasn’t without some snags. Some staffers slid in their Yubikeys upside down and backwards, occasionally shorting the computer. Other employees use non-standard keyboards — Flynn says there are about five Colemak users, and an undisclosed number of Dvorak lovers at Facebook — and that can cause problems with Yubikey. But Flynn and team found a way around these problems.
They’ve even found ways that Yubikey can get rid of passwords altogether. Engineers who use what’s known as SSH , for example, can remotely connect to servers via a well-known SSH technique that depends on cryptographic keys instead of passwords, and if they combine this method with a Yubikey, they can connect sans password. Flynn describes the password-free login as a near-magical experience. “You type ssh-space-theserver, and then you press your Yubikey, and then you’re in,” he says.
Facebook engineers can also use the Yubikey instead of passwords when they’re using sudo, a Unix command that lets them run their code with special user privileges.
These may be small, geeky tricks, but they’re a step in the direction of password liberation. And that’s a good thing. This not only provides better protection for our computers and computer networks, it makes life easier for the people who use them. “The more you can move people to authentication systems that are both secure and don’t require them remembering crazy stuff, the more engagement you’ll get from your user base,” Flynn says.