Success Stories

Facebook

The Challenge:

Social media giant Facebook manages personal data for 1.19 billion active users across their platform; making a clear case that the integrity of the personal data entrusted to them is integral to the overall success of the company.

Their mission: to protect a billion users without losing (much) sleep.

This means shielding their developers from targeted malicious attacks while they’re accessing Facebook’s internal networks and databases during development in order to avoid security risks to their source code and user data.

Facebook’s internal security culture is focused on reducing friction and making security easy for their fast-paced developers. This required their security solution to be versatile, efficient and streamlined with their workflow process, which involved logging into a development server to write code.

With tens of thousands of SSH sessions a day, they needed strong security that would support their engineer’s needs without adding more friction.

Strong security required, without any hassle.

And, while they already used passwords, public and private key pairs, etc., they were looking for a stronger form of authentication that they could easily extend to their other Facebook employees. That’s when they turned to two-factor authentication as a solution; combining something they knew (a password) with something they had (authentication via a device, like a phone).

Traditional two-factor methods like RSA’s time-based tokens, code generators, SMS-based OTPs (one-time passwords), and others were error-prone, had limited device support, and required a lot of support overhead; not ideal for Facebook’s engineers and their SSH sessions.

Facebook’s security team ultimately needed a two-factor authentication solution that was designed better than these other methods - they needed usability, flexible options, fast deployment and strong security with minimal support overhead.

The Solution:

Why did Facebook choose Duo Security? Facebook’s Information Security Manager, John “Four” Flynn said Duo Security gave them a lot of flexibility and a lot of powerful authentication options.

Duo’s two-factor authentication solution can be installed on phones as an app with Duo Mobile, and also supports a multitude of authentication methods, including push, SMS, mobile, voice and hardware tokens. Duo’s two-factor is also cloud-based, eliminating the need for hardware and software installation, making it both fast and easy to deploy while cutting down on support overhead for administrators.

Versatile two-factor authentication for custom security solutions.

The long list of integrations that Duo’s two-factor supports includes some of the most widely used platforms, applications and devices. The flexibility and versatility of Duo’s authentication service offers a great platform on which various other technology can be used to create a custom security solution. This prompted Facebook to enlist Yubico’s Yubikey Nano as an OTP token for USB ports.

Pairing Duo’s two-factor with Yubico allowed frequent login users to authenticate securely by merely pushing the side of their laptop, while also giving users the option of many different authentication methods if they traveled or lost their device.

Duo grew organically at Facebook, from protecting 300 to more than 10,000 users.

Initially deployed on Linux servers, Duo’s two-factor spread organically throughout the organization to VPN, Windows servers, Splunk, OWA and others. Duo’s lightweight, cloud-based integration model has allowed Facebook to experiment with deployments efficiently for their production, financial and remote corporate VPN access systems.

So where is Facebook today with Duo? Facebook is moving away from using time-based tokens provided by RSA SecurID in order to expand Duo’s two-factor to their entire organization with a full enterprise site license agreement, supporting more than 10,000 employees. With Duo Security’s two-factor authentication, Facebook was able to realize their goal of protecting their developers and data from hackers without adding any extra hassle to their user or administrative workflow.