Facebook - 2FA question

bbigford

Haven't been on Facebook in years. I jumped back on in the last couple days after reactivating my account, to connect with some family. I notice a gaping issue with security...Configured Facebook to work with Duo/2FA; works as intended.

But if I disable all notifications about "Logon Approvals" (i.e. remembering devices, browsers, etc), disapprove any/all devices, then you can still end up bypassing 2FA. What happens is the very browser/device prompts for a password, then a code (from Duo); as intended.

But the mobile app generates an alert that says "is this you?" If you select 'yes', then the browser is stored in Logon Approvals in Facebook (Windows 10 Firefox/Chrome/etc). When you then use that browser in a new session on that same computer, you put in your password and it sends you right on through. You can remove it from the approvals page and start over; but I'm wondering how you disable that entirely so you're forced to use Duo every time.

Surely someone on here uses Facebook and 2FA is configured without Logon Approvals.

bbigford

I just called a number listed for Facebook, on a Facebook forum, and was told "having the ability to bypass the 6 digit PIN using logon approvals is a feature by design", which is a nice way of saying "it's a security issue that there is no work around for". Just before being disconnected from the call, I had requested that the call be elevated; no dice.

IRJ

Dont use facebook if you want any type of privacy or security

bbigford

@irj said in Facebook - 2FA question:

Dont use facebook if you want any type of privacy or security

While I understand I could very well just not join any online community to maintain privacy, that isn't helpful.

I still want to connect with family on a common platform they are all using; but there's a balance with knowing there is personal info out there, and using 2FA.

gjacobse

I'm about to tell everyone I have 'friended' on FB to go take a flying leap... and then delete it. all I see is crap and negative.. and I deal with enough of that now.

so - 2FA - not worth my time.

bbigford

@gjacobse said in Facebook - 2FA question:

I'm about to tell everyone I have 'friended' on FB to go take a flying leap... and then delete it. all I see is crap and negative.. and I deal with enough of that now.

so - 2FA - not worth my time.

I've removed friends that just post junk. But there are plenty of other things I find worth my time, such as seeing tons of photos and videos of my nieces/nephews/events I can't attend.

gjacobse

@bbigford said in Facebook - 2FA question:

@gjacobse said in Facebook - 2FA question:

I'm about to tell everyone I have 'friended' on FB to go take a flying leap... and then delete it. all I see is crap and negative.. and I deal with enough of that now.

so - 2FA - not worth my time.

I've removed friends that just post junk. But there are plenty of other things I find worth my time, such as seeing tons of photos and videos of my nieces/nephews/events I can't attend.

yea,.. I get that... and those are nice... But since I never seem to hear from any of my family - or friends (oh.. the whopping 2) - what the heck is the point? I mean,.. even JB ignores me there too... Even if he cused me out from time to time it would be nice....

JaredBusch

@gjacobse said in Facebook - 2FA question:

@bbigford said in Facebook - 2FA question:

@gjacobse said in Facebook - 2FA question:

I'm about to tell everyone I have 'friended' on FB to go take a flying leap... and then delete it. all I see is crap and negative.. and I deal with enough of that now.

so - 2FA - not worth my time.

I've removed friends that just post junk. But there are plenty of other things I find worth my time, such as seeing tons of photos and videos of my nieces/nephews/events I can't attend.

yea,.. I get that... and those are nice... But since I never seem to hear from any of my family - or friends (oh.. the whopping 2) - what the heck is the point? I mean,.. even JB ignores me there too... Even if he cused me out from time to time it would be nice....

I barely log in to FB. Like once a month, maybe.

travisdh1

@gjacobse said in Facebook - 2FA question:

@bbigford said in Facebook - 2FA question:

@gjacobse said in Facebook - 2FA question:

I'm about to tell everyone I have 'friended' on FB to go take a flying leap... and then delete it. all I see is crap and negative.. and I deal with enough of that now.

so - 2FA - not worth my time.

I've removed friends that just post junk. But there are plenty of other things I find worth my time, such as seeing tons of photos and videos of my nieces/nephews/events I can't attend.

yea,.. I get that... and those are nice... But since I never seem to hear from any of my family - or friends (oh.. the whopping 2) - what the heck is the point? I mean,.. even JB ignores me there too... Even if he cused me out from time to time it would be nice....

That a right of passage around here.

bbigford

Meh, whatever. I'll probably end up dropping Facebook again soon anyway.

travisdh1

@bbigford said in Facebook - 2FA question:

Meh, whatever. I'll probably end up dropping Facebook again soon anyway.

I really only use it for "private" groups anymore. The feed isn't worth looking at.

dbeato

@bbigford said in Facebook - 2FA question:

Meh, whatever. I'll probably end up dropping Facebook again soon anyway.

2FA does work, I don't use Logon Approvals, it does it from any device that I use it. If you set the device to be remember it will remember it and no prompt you, but if you select to not save the browser it will prompt your 2FA everytime.

2FA for Facebook works on your Duo, their own Facebook App and other 2FA authenticator apps.

bbigford

@dbeato said in Facebook - 2FA question:

@bbigford said in Facebook - 2FA question:

Meh, whatever. I'll probably end up dropping Facebook again soon anyway.

2FA does work, I don't use Logon Approvals, it does it from any device that I use it. If you set the device to be remember it will remember it and no prompt you, but if you select to not save the browser it will prompt your 2FA everytime.

2FA for Facebook works on your Duo, their own Facebook App and other 2FA authenticator apps.

If I select to not remember the browser, it prompts every time, to which I keep specifying don't remember. I have been trying to find a way to stop promoting if I'd like to remember the device

dbeato

@bbigford said in Facebook - 2FA question:

@dbeato said in Facebook - 2FA question:

@bbigford said in Facebook - 2FA question:

Meh, whatever. I'll probably end up dropping Facebook again soon anyway.

2FA does work, I don't use Logon Approvals, it does it from any device that I use it. If you set the device to be remember it will remember it and no prompt you, but if you select to not save the browser it will prompt your 2FA everytime.

2FA for Facebook works on your Duo, their own Facebook App and other 2FA authenticator apps.

If I select to not remember the browser, it prompts every time, to which I keep specifying don't remember. I have been trying to find a way to stop promoting if I'd like to remember the device

No sure of that answer yet

dbeato

By the way it works the same with 2FA in this forum, unless you sign out of the browser it keeps your session ID.