Facebook serves almost 2 billion users, more than a billion of them on a daily basis. Those users are spread out all over the world, and each of them has an account. Most of those accounts are merely protected by a password, which means that a malicious person who knows your email address only needs one more piece of information to steal your account. Facebook has the difficult job of figuring out how to prevent that without inconveniencing or confusing all those users, whose cultural norms and computer literacy vary widely
One of Facebook's security features is two-factor authentication, which you may have heard of. 2FA (the common abbreviation) can protect your account even in the event that someone obtains your password. 2FA is usually implemented via SMS messaging or a secure app like Google Authenticator, although the gold standard is a physical second factor. The details change from service to service, but the general 2FA process works like this: 1) You enter your username and password. 2) The website or app takes you to another screen, where you're asked to enter a one-time code generated by your second factor. Voilà, you're in!
But remember Facebook's billions of diverse users? Not all of them are conscientious enough to read the fine print. It turns out that you can enable 2FA without really knowing what you're doing, and end up locked out of your account. Facebook wants to prevent that almost as much as it wants to keep hackers from swarming the platform.
So the company offers users who enable 2FA a week-long grace period to decide whether they really, truly want it. It's optional, but selected by default. Before the grace period is up, users can choose to login like normal. Doing so will turn off 2FA.
Not everybody thinks that's a great idea.
To a certain extent, this defeats the purpose of setting up 2FA in the first place. An attacker can still get into your account just by using your password if they manage to strike within the grace period.
Some experts in the cybersecurity community find Facebook's design choice frustrating. Nadim Kobeissi, who created the encrypted messaging app Cryptocat, called it "the kind of irresponsible, brain-dead security policy that harms people." He added, "Unbelievable. I spent an entire day trying to get to the bottom of why a social activist's Facebook *remained* insecure even after 2FA." It turned out that the grace period was the culprit.
Facebook security engineer Brad Hill chimed in to say that the feature is "there to protect people who don't read the instructions when doing consequential things," pointing out that users are given a choice about whether they want the grace period:
It's there to protect people who don't read the instructions when doing consequential things. pic.twitter.com/WHxoXSa4As-- hillbrad (@hillbrad) May 25, 2017
Kobeissi shot back, "This may surprise you, but when dealing with some MENA-region folks, the implications of that fine print are not part of their model." To which Hill responded, "I'm actually not at all surprised that there are different mental models for how 2FA works in a population of almost 2 billion people. I literally spend hours every day thinking about that. And I look at data." (Kobeissi further elaborated his thinking here.)
Facebook chief security officer Alex Stamos elaborated in a tweetstorm: "As with seat belts, the #1 failure mode is 2FA not being used. I doubt any large provider has better than single-digit penetration. So do we blame the people who don't choose to use functionality aimed at security purists, or do we design a system that works for all? As with [end-to-end encryption], 2FA is a trickle down technology, demanded and implemented by experts who love to argue over corner cases and failure modes."
He went on to note, "Remember that the adversary also gets a vote. Allowing accounts to be perma-locked instantly will be abused as well in account takeovers." In other words, hackers who seize control of an account will enable 2FA in order to block legitimate users from recovering their accounts. (Of course, it would be strange for a hacker to opt for the grace period.)
People who rely on password managers to generate and store long, unique passwords are effectively limiting their risk. People who use the same credentials over and over again for various different services, on the other hand, are much easier to target, because account and password databases are often breached and released on the darknets.
Facebook realizes this, so the company tries to help users protect themselves. Obviously it wants to minimize the number of accounts that get hacked.
It's much harder for a malicious person to hijack an account protected by 2FA (although clever social engineering, which typically involves contacting company support reps and tricking them, can sometimes do the trick, and SMS isn't perfectly secure). Most hackers want to "pwn" (hacker-speak for own) a lot of accounts quickly and aren't willing to devote extra time and effort to a single user.
In other words, keeping Facebook accounts secure is as much a matter of understanding human behavior as it is building technological tools. As engineer Brad Hill said, when you're dealing with billions of users, you have to accommodate many different levels of experience and different conceptions of how security should work. Any "one size fits all" option is bound to disappoint some people.