'I’d like us to move away from the dependency on passwords,' says Facebook engineer

Gregg Stefancik is exploring the possible use of hardware tokens that log users into Facebook

Facebook US engineer Gregg Stefancik.

Facebook US engineer Gregg Stefancik.

In an ideal world, people would not need a password to log in to Facebook as they would use a hardware token instead, according to Facebook United States engineer Gregg Stefancik.

Speaking at a media briefing in Sydney today, Stefancik said the social media giant was encouraging all of its 1 billion users to adopt two-factor authentication (2FA). Many websites such as Twitter and Google offer their users 2FA to bolster the security of their account.

“If we were in a world where every user had a reliable 2FA, then we could maybe get to a point where we are not worrying about passwords any more and people have some sort of hardware token that logs them into Facebook,” he said.

“My vision for security in Facebook over the next few years is that I’d like us to move away from the dependency on passwords altogether.”

Stefancik was asked by Computerworld Australia for his thoughts on the eBay hack. The online marketplace disclosed in May that cyber criminals compromised a small number of employee log-in credentials in the United States between late February and early March 2014 to gain access to its database. eBay users around the world, including Australia, were asked to change their password.

“One of the things that the eBay incident speaks more to is about getting consumers to understand that having the same password across multiple sites is a really bad idea,” he said.

“Only in the last five months did I switch to using a password manager but in light of the industry compromises I have seen, I’m very happy that I have a password manager.”

Separation of data

Stefancik moved to reassure users that the social media giant does not store their data all in one place.

“Our database infrastructure and storage mechanism is very different. There is not some space a cyber criminal can go to select star and all the data plops out,” he said.

“We have an incident response team [in the US], which is on call 24/7, if the lights never go out on Facebook. We also have a presence in London [England] which helps us with global coverage as well,” he said.

Stefancik joked that some security incidents that wake him up at odd hours of the night would be considered “Asia Pacific friendly and not [US] Pacific Time friendly". But what really keeps him up at night is anything that could affect user data, he said.

“What keeps me awake is programmer error that might result in user data being exposed in a way that it wasn’t intended to be,” Stefancik said. “That’s what I focus my team’s efforts on – making sure those programmer errors don’t happen.”

Follow Hamish Barwick on Twitter: @HamishBarwick

Follow Computerworld Australia on Twitter: @ComputerworldAU, or take part in the Computerworld conversation on LinkedIn: Computerworld Australia

Join the CSO newsletter!

Error: Please check your email address.

Tags Gregg Stefancikhardware tokens2FApassword protectiontwo factor authenticationcyber securityFacebook

More about 24/7eBayFacebookGoogle

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Hamish Barwick

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts