A core part of the Workplace mission is to provide a secure community for everyone who uses Workplace. Maintaining the security of account information on Workplace is at the very heart of what we do.
Account Credentials at Risk
Workplace will show the admins of a community if an account is suspected of being a security risk. An account will be marked “At Risk” if the password has been used for a non-Facebook/Workplace service that has suffered a data breach.
If a Workplace account is at risk, an attacker may be able to access the Workplace community. Therefore, we recommend admins force the affected users to reset their passwords or disable their accounts.
How do I identify which user accounts are at risk?
If you have received a prompt that says a security risk has been detected, or the dashboard in your Security tab shows at risk accounts, this means that we suspect that the Workplace passwords of some of the user accounts in your community may be at risk. Given that there's a small risk that an attacker could use that information to access your Workplace community, we recommend that you disable these users or force them to reset their passwords.
To see which accounts may be at risk:
Accounts that are at risk will be highlighted in red and labeled Account at Risk in the People panel. To disable the user or force them to reset their password, click next to the account that's at risk and select Deactivate User or Force Password Reset.
Two-Factor Authentication (2FA)
Two-Factor Authentication, also known as 2FA, is an extra security check that requires a user to enter an additional identifier that only they have access to. Usually this is requested once the user has entered their username and password.
As a user who has 2FA activated in Workplace, you are asked for this additional identifier each time you try to log in to your Workplace account or app from a new device. Once you've entered this identifier, you have the option to save the device to your account so that you don't have to repeat the process each tiem you log in from the same device.
There are two setup options. Both require the Workplace authentication method to be set to password:
- Admins can set up 2FA for all or a selected group of users.
- Users can enable 2FA on their own accounts.
In both cases, the user selects which method of 2FA they want to use: QR code or SMS.
Turn on 2FA as an Admin
To turn on 2FA for all or selected users:
Your colleagues will see a notice in their feeds inviting them to set up 2FA. They can follow the instructions in Set up 2FA as a User.
If a user has not set up 2FA by the start date, they’ll see the following lock screen asking them to enable 2FA:
Turn on 2FA as an User
To turn on 2FA either in response to a request or for your own use:
- If you select Authentication App (eg Duo or Google Authenticator), a QR code (and an alphanumeric code) are displayed. Enter this into your authentication app.
- If you select Text Message (SMS), the Add Phone Number dialog box displays. Enter a phone number, and then confirm that you own the number by entering a confirmation code sent to you via SMS.
Check Login failures
We show admins an overview of the login failures we have registered for Workplace accounts in the last 7 days, to help them identify any suspicious patterns in their organization.
To see an overview of login failures: