'I’d like us to move away from the dependency on passwords,' says Facebook engineer

Gregg Stefancik is exploring the possible use of hardware tokens that log users into Facebook

Facebook US engineer Gregg Stefancik.

Facebook US engineer Gregg Stefancik.

In an ideal world, people would not need a password to log in to Facebook as they would use a hardware token instead, according to Facebook United States engineer Gregg Stefancik.

Speaking at a media briefing in Sydney today, Stefancik said the social media giant was encouraging all of its 1 billion users to adopt two-factor authentication (2FA). Many websites such as Twitter and Google offer their users 2FA to bolster the security of their account.

“If we were in a world where every user had a reliable 2FA, then we could maybe get to a point where we are not worrying about passwords any more and people have some sort of hardware token that logs them into Facebook,” he said.

“My vision for security in Facebook over the next few years is that I’d like us to move away from the dependency on passwords altogether.”

Stefancik was asked by Computerworld Australia for his thoughts on the eBay hack. The online marketplace disclosed in May that cyber criminals compromised a small number of employee log-in credentials in the United States between late February and early March 2014 to gain access to its database. eBay users around the world, including Australia, were asked to change their password.

“One of the things that the eBay incident speaks more to is about getting consumers to understand that having the same password across multiple sites is a really bad idea,” he said.

“Only in the last five months did I switch to using a password manager but in light of the industry compromises I have seen, I’m very happy that I have a password manager.”

Separation of data

Stefancik moved to reassure users that the social media giant does not store their data all in one place.

“Our database infrastructure and storage mechanism is very different. There is not some space a cyber criminal can go to select star and all the data plops out,” he said.

“We have an incident response team [in the US], which is on call 24/7, if the lights never go out on Facebook. We also have a presence in London [England] which helps us with global coverage as well,” he said.

Stefancik joked that some security incidents that wake him up at odd hours of the night would be considered “Asia Pacific friendly and not [US] Pacific Time friendly". But what really keeps him up at night is anything that could affect user data, he said.

“What keeps me awake is programmer error that might result in user data being exposed in a way that it wasn’t intended to be,” Stefancik said. “That’s what I focus my team’s efforts on – making sure those programmer errors don’t happen.”

Follow Hamish Barwick on Twitter: @HamishBarwick

Follow Computerworld Australia on Twitter: @ComputerworldAU, or take part in the Computerworld conversation on LinkedIn: Computerworld Australia

Tags password protectionFacebooktwo factor authentication2FAhardware tokensGregg Stefancik

Show Comments