Facebook Combats Image of Insecurity with HTTPS and Social Authentication
Facebook officially launched two security features this morning. The new Secure Browsing (https) feature gives user the option of accessing Facebook over an encrypted, albeit slower connection that prevents others on the same network from eavesdropping. Developers can now set up a secure canvas URL to allow HTTPS connection to their apps. Social Authentication protects users from suspicious login attempt to their account by forcing the person trying gain access to identify that user’s friends in photos.
The features will help keep users in control of their personal information and should increase trust in Facebook, though early tests of Social Authentication have occasionally locked legitimate owners out of their accounts.
This year, Facebook has been accused of putting users at risk of spam and malware despite implementing many new security features including security questions, one-time use passwords, and remote log-out. It responded to a flurry of criticism about how already public User IDs were being shared with third-party applications by implementing the iFrame Post Proposal that encrypts the IDs. Today’s announcement should help Facebook combat the exaggerated perception of insecurity that the media has propagated.
Secure Browsing (https)
Over the next few weeks, Facebook will roll out Secure Browsing (https) as an opt-in option users can enable from within Account->Account Settings->Account Security. When enabled, users will see a green bar or lock icon on their browser’s address bar, and all of a user’s communication with the site will be encrypted. Note that Facebook already encrypts logins, but Secure Browsing will keep data like Messages private.
The feature is designed to keep user information safe while they’re browsing over a public network. Facebook recommends “enabling this option if you frequently use Facebook from public Internet access points found at coffee shops, airports, libraries or schools.” It will also protect users from software and browser extensions like Firesheep that let others on the same Wi-Fi network spy or identify another user’s cookies.
Developers who wish to serve their canvas iFame applications over a secure connection can specify a Secure Canvas URL in the Facebook Integration tab of the Developer app. If a user with Secure Browsing enabled visits an app without a Secure Canvas URL, they’ll be shown a warning that they’ll be switched from HTTPS to HTTP. Developers should therefore provide this URL as not to scare away users concerned about security.
If Facebook detects a suspicious login attempt, such as one coming from Australia when the user had logged in from the U.S. just hours ago, it will trigger Social Authentication. The person trying to gain access to the user’s account will be shown a set of pictures of one of that user’s friends. They’ll have to identify the friend by choosing between six names, try refreshing to see a different set of photos, or skip the question. Five correct answers are required to regain access to the account, though its unclear how many wrong answers or skipped questions are permitted.
Facebook has been testing this alternative to CAPTCHA since at least July with mixed results. As users aren’t always identifiable from their photos, some legitimate owners were locked out of their accounts because they couldn’t identify childhood or costumed Halloween photos of friends. Some users have many friends who they hardly know, such as people they’ve friended through social games. A few found it impossible to identify these people, and were prevented from accessing Facebook for months.
Some of these issues appear to have been addressed in this official version of Social Authentication. The photos appear to hone in on the friend’s face, similar to Facebook’s facial recognition photo tagging feature, meaning users likely won’t be asked to identify photos that don’t show the friend’s face at all. Users can also refresh to a different set of photos if the initial set isn’t adequate. To solve the social gaming friends issue, hopefully Facebook will only require users to identify the close friends who they most frequently interact with.
There are ways to thwart Social Authentication. If a user has set their friend list to be visible to the public, or they’ve given photos and friend list access to a third-party application that then sells this information to hackers, the data could be used to pass the test.
Improved Security with Fewer False Positives
Facebook explains that, “hackers halfway across the world might know your password, but they don’t know who your friends are.” If this latest set of efforts can both improve security without accidentally blocking legitimate logins and can dispel the perception that Facebook isn’t protecting users, it will be able to refocus attention on its innovations.