By Ehud Amiri
Social websites have become such a significant portion of almost everyone's online life. Communities with billions of active users, including everyday users, celebrities, prime ministers and presidents, share their most intimate life details on these sites, capturing moments with pictures and videos.
It’s no wonder that individual hackers, criminal organizations and even state-sponsored hackers are interested in attacking these platforms. Just in the past month or so, we have seen dozens of reports of Instagram account takeovers, a reported massive breach at Facebook, and an announcement from Google+ following a newly discovered vulnerability in their APIs. I also recently wrote about Reddit employee accounts being hacked.
By and large, social network providers have reacted to this threat by enhancing their built-in security and anti-fraud controls. In particular, they have implemented much more consistent support for one of the simplest — and probably one of the most effective — methods of boosting account security: multi-factor authentication (MFA).
What Kind of MFA Does Your Social Media Support?
At OneLogin, we were curious about how different social platforms vary in their types of MFA support. So we decided to survey the leading U.S. social media sites to better understand which platforms offer what. To keep things simple, we focused on the three most common aspects of authentication:
Text message-based authentication: Also known as SMS authentication, this is still one of the most common forms of second-factor authentication. While it is better than just a password, it’s regarded as a less secure option compared to other alternatives.
Mobile authenticator: By this, we mean mobile apps that provide a one-time authentication code. These free mobile apps use your smartphone as a security token to provide a simple login experience that is much more secure than text-based authentication.
Multiple devices: This is an important additional capability that lets users register two or more devices. In case of an emergency — such as when a phone is lost, damaged or stolen — a second device can be used to recover access to your account. For example, if you lost your personal phone, you could still use your work phone or even iPad to sign into your account.
The table below, which represents the current state of the implementation as of October 2018, summarizes our findings:
1) Some method of MFA has become standard for social platforms.
The table above demonstrates that while there are still mixed levels of support for different MFA factors, at least a basic level of multi-factor authentication is supported by almost all these services. This coincides with a greater trend of MFA adoption for both services and users.
2) Reddit has learned from their mistake.
After suffering a breach via insecure SMS-based authentication last month, Reddit stated, “…we learned that SMS-based authentication is not nearly as secure as we would hope.” They even went so far as to say that they “…encourage everyone here to move to token-based 2FA.”
It seems that Reddit is really putting their money where their mouth is, as they no longer support MFA via text messaging at all, and are one of the few platforms on this list to support multiple-authentication devices.
This is, to some extent, representative of the greater security community. In many cases, organizations need to “learn the hard way” before discovering an area of vulnerability and acting upon it. Unfortunately, not all social platforms on this list have learned from Reddit’s experience.
3) Facebook and Google have the broadest support for MFA.
Of the ten platforms on this list, only Facebook, Google/YouTube, and Reddit support multiple-authentication devices. As platforms that house a wealth of sensitive data, it’s expected that Facebook and Google would be investing in security controls and be leaders in the social MFA space. And having just undergone a serious data breach as a direct result of SMS-based authentication, it’s understandable that Reddit would move toward this authentication aspect as well.
What does surprise me, however, is that support for multiple-authentication devices is not more prevalent among other leading social platforms — especially heavy hitters like LinkedIn and Twitter. We hope to see more developments on that front in the near future.
4) Text-based MFA is still prevalent (unfortunately).
Other than Reddit, just about every other social platform on this list continues to support text-based authentication. It’s a little concerning — though not especially surprising — that this fairly vulnerable authentication factor is still so common. What is concerning, however, is just how few platforms support other forms of MFA.
It’s good to see that Instagram is working on support for mobile authenticators. But major players like Pinterest, Twitter and even LinkedIn are still behind, relying exclusively on text-based authentication. I think it’s safe to assume that more social platforms will continue to adopt different MFA options in the next couple of years — and the sooner they do, the better.
In short, it’s interesting to see how different social platforms are approaching the subject of MFA. Some are lagging behind with outdated tools, while others are adapting in response to new types of threats. We also should expect to see even more developments in the implementation of emerging best practices and standards, such as WebAuthN once it is officially approved and implemented by more players.
Even if text message-based authentication is all that your social platform supports, it is still much, much better than nothing.
About Ehud Amiri
Ehud Amiri is senior director for product management at OneLogin. Ehud is passionate about making the world safer by embracing new ways to trust people, devices and applications to ensure security becomes both effective and frictionless. Prior to joining OneLogin, Ehud served in various product management and engineering roles at CA Technologies, Netegrity, and Business Layers.