Facebook Combats Image of Insecurity with HTTPS and Social Authentication

Facebook officially launched two security features this morning. The new Secure Browsing (https) feature gives user the option of accessing Facebook over an encrypted, albeit slower connection that prevents others on the same network from eavesdropping. Developers can now set up a secure canvas URL to allow HTTPS connection to their apps. Social Authentication protects users from suspicious login attempt to their account by forcing the person trying gain access to identify that user’s friends in photos.

The features will help keep users in control of their personal information and should increase trust in Facebook, though early tests of Social Authentication have occasionally locked legitimate owners out of their accounts.

This year, Facebook has been accused of putting users at risk of spam and malware despite implementing many new security features including security questions, one-time use passwords, and remote log-out. It responded to a flurry of criticism about how already public User IDs were being shared with third-party applications by implementing the iFrame Post Proposal that encrypts the IDs. Today’s announcement should help Facebook combat the exaggerated perception of insecurity that the media has propagated.

Secure Browsing (https)

Over the next few weeks, Facebook will roll out Secure Browsing (https) as an opt-in option users can enable from within Account->Account Settings->Account Security. When enabled, users will see a green bar or lock icon on their browser’s address bar, and all of a user’s communication with the site will be encrypted. Note that Facebook already encrypts logins, but Secure Browsing will keep data like Messages private.

The feature is designed to keep user information safe while they’re browsing over a public network. Facebook recommends “enabling this option if you frequently use Facebook from public Internet access points found at coffee shops, airports, libraries or schools.” It will also protect users from software and browser extensions like Firesheep that let others on the same Wi-Fi network spy or identify another user’s cookies.

Developers who wish to serve their canvas iFame applications over a secure connection can specify a Secure Canvas URL in the Facebook Integration tab of the Developer app. If a user with Secure Browsing enabled visits an app without a Secure Canvas URL, they’ll be shown a warning that they’ll be switched from HTTPS to HTTP. Developers should therefore provide this URL as not to scare away users concerned about security.

Social Authentication

If Facebook detects a suspicious login attempt, such as one coming from Australia when the user had logged in from the U.S. just hours ago, it will trigger Social Authentication. The person trying to gain access to the user’s account will be shown a set of pictures of one of that user’s friends. They’ll have to identify the friend by choosing between six names, try refreshing to see a different set of photos, or skip the question. Five correct answers are required to regain access to the account, though its unclear how many wrong answers or skipped questions are permitted.

Facebook has been testing this alternative to CAPTCHA since at least July with mixed results. As users aren’t always identifiable from their photos, some legitimate owners were locked out of their accounts because they couldn’t identify childhood or costumed Halloween photos of friends. Some users have many friends who they hardly know, such as people they’ve friended through social games. A few found it impossible to identify these people, and were prevented from accessing Facebook for months.

Some of these issues appear to have been addressed in this official version of Social Authentication. The photos appear to hone in on the friend’s face, similar to Facebook’s facial recognition photo tagging feature, meaning users likely won’t be asked to identify photos that don’t show the friend’s face at all. Users can also refresh to a different set of photos if the initial set isn’t adequate. To solve the social gaming friends issue, hopefully Facebook will only require users to identify the close friends who they most frequently interact with.

There are ways to thwart Social Authentication. If a user has set their friend list to be visible to the public, or they’ve given photos and friend list access to a third-party application that then sells this information to hackers, the data could be used to pass the test.

Improved Security with Fewer False Positives

Facebook explains that, “hackers halfway across the world might know your password, but they don’t know who your friends are.” If this latest set of efforts can both improve security without accidentally blocking legitimate logins and can dispel the perception that Facebook isn’t protecting users, it will be able to refocus attention on its innovations.

Facebook Marketing

Mediabistro Event

Facebook Marketing

Starting January 13, work with the group marketing manager of social media at Microsoft/BingAds to grow your business on Facebook! In this course, you’ll learn how to set up your company page, understand Facebook best practices, and execute a monthly content strategy. Register now!


Leave a Reply

3 Responses to “Facebook Combats Image of Insecurity with HTTPS and Social Authentication”

  1. Holly LaRocco says:

    As a Symantec employee and therefore, proponent of SSL encryption, I hope that Facebook users take this seriously and make the change on their account settings. This is a huge undertaking by Facebook and an important step toward safer web browsing.

  2. Check Your Facebook Account Security Settings for New Features says:

    [...] about all of the features, business models, and activity in the Facebook universe, subscribe to InsideFacebook.com to stay informed. Let us know in the comments, have you changed your Facebook [...]

  3. How to set up your web server for Facebook Secure Browsing on Windows | Thought Labs Blog says:

    [...] late January Facebook finally added support for HTTPS, allowing users to browse the site securely. HTTPS provides a combination of the HTTP and SSL [...]

Get the latest news in your inbox
interested in advertising with inside facebook?

Social Media Jobs
of the Day

Assistant Editor

8 Inc.
New York, NY

Copywriter & Editor

Santa Monica, CA

Director of Marketing & Communications

Neumans' Kitchen
New York, NY

Social Community Manager

Tallahassee, FL

Editorial Director

Phoenix House
New York, NY

Featured Company

Join leading companies like this one and recruit from the nation's top media job seekers on the Mediabistro Job Board. Every job post comes with our satisfaction guarantee. Learn More

Our Sponsors

Mediabistro A division of Prometheus Global Media home | site map | advertising/sponsorships | careers | contact us | help courses | browse jobs | freelancers | content | member benefits | reprints & permissions terms of use | privacy policy Copyright © 2014 Mediabistro Inc. call (212) 389-2000 or email us