Facebook has introduced a new authentication feature designed to help users better protect their accounts from being hijacked by password-stealing miscreants. The opt-in feature — which requires users to share their mobile phone number — is a welcome security measure, but may be a tough sell to users already wary of providing too much information to the social networking giant.
Facebook intern Andrew Song explains how the new “Login Approvals” feature works, in a blog post:
“If we ever see a login from an unrecognized device, you’ll be notified upon your next login and asked to verify the attempted account access. If you don’t recognize this login, you’ll be able to change your password with the knowledge that while some one else may have known your login credentials, they were unable to access your account and cause any harm. Once you have entered this security code, you’ll have the option to save the device to your account so that you don’t see this challenge on future logins.”
“If you ever lose or forget your phone and have login approvals turned on, you will still have the option to authorize your login provided you are accessing your account from a saved device. Having these recognized machines associated with your account prevents lockout and ensures that you can regain access to your profile.”
Facebook users can enable Login Approvals by navigating to Account Settings and then Account Security. When I enabled this feature and provided the digits for a mobile phone I own, it quickly sent that phone a six character, alphanumeric code via text message that I used to successfully authenticate on Facebook.com.
It’s not clear from Song’s blog post whether enabling this feature changes any privacy settings you may have established in your Facebook account. Facebook’s privacy policies have been constantly evolving as the social networking provider adds and tweaks features (I pinged Facebook’s press folks to find out and will update this section if they reply). Depending on how much data you’ve already shared, what apps you have installed on your Facebook account and your mobile phone, and what your privacy settings are, you might be surprised how much mobile data you already are sharing with your “friends,” and vice versa. Check out your Facebook Phonebook to find out which of your friends have already shared their mobile contact information.
It’s important for people to remember that Facebook — like most social networking applications and other “free” online services — is not really free: All of us pay for these services in micropayments of personal information over time. And to quote noted security curmudgeon Bruce Schneier: “Don’t make the mistake of thinking you’re Facebook’s customer, you’re not – you’re the product. Its customers are the advertisers.”
If you use Google Voice, your number won’t work with this process. Whether it’s due to the SMS support in GV or some evil ploy by Facebook to get your number is up to you to decide…
One of several places with complaints by GV users:
Facebook remembers your device by setting a cookie, I think. Since I clear my cache frequently, every time I visit fcbk, it “forgets” my device/machine. Now, that’s a brilliant way for a multi-billion dollar company to write the device/machine remembering code!
I have Better Privacy with Fire Fox where I can opt to have cookies erased when I end my browser session, or some # minutes after they are created. I can also exempt some service from having their cookies erased.
Did you know you needed Special Security to get rid of Super Cookies?
Maybe they should use one of those Evercookies. It would be the first time one of them benefited a user.
LOL! The “evercookies” made me laugh. Cookies that just won’t go away. Like my next-door-neighbor…
I don’t actually use Facebook – I have been thinking about it for ages but the privacy loss just doesn’t appeal even if some women I meet are incredulous that someone could “survive” without it.
So maybe I’m missing something here but isn’t this just a hurdle more than anything else to an attacker that can be easily outsourced? What I mean is if someone hijacks an account cannot they just outsource the verification using another phone number that they supply?
I mean I’ve seen virtual mobile numbers as low as 0.05 USD each and at that price it’s not really going to hold a determined attacker back.
Unless I’m missing something of course.
This security measure would be easy enough to spoof. More people know my cell phone than my email.
It really does sounds more like a way to get your phone number than to secure your account.
Great! When this too blows up in Facebook’s face, they’ll be able to blame an intern!
That’s one of my favourite quotes from “noted security curmudgeon” Schneier.
“noted security curmudgeon” is my new favourite quote about Schneier.
Labelling Mr. Schneier a ‘curmudgeon’ is a level of disrespect I don’t expect from you, Mr. Krebs.
Anon, just a year or so of reading posts by Brian Krebs leads me to believe that he meant no disrespect to Mr. Schneier. In fact, after reading some of the comments on other sites (including the one Brian links to above), where people are just flat-out offering to give up their private information for a chance to interact online with other people through online social services, and claiming that security experts like Mr. Schneier (and Mr. Krebs) are “selling fear” for profit, I’m feeling rather curmudgeonly myself.
No disrespect meant at all. I value Bruce’s opinions on all things security-related, and meant that in the most affectionate way possible. What’s more, I don’t think he’d argue with the title. 🙂
Yeah well, selling fear for profit? Make your own determination:
TechRepublic Article: Why you should never trust Facebook
soooooooo on top of all the personal info. FB collects about you they’ll now have your mobile ph#? I’d rather risk having somebody hack my account that is void of all personal info. and if they want to mess with my LOLCats links they’re welcome to it.
I am on FB.
I do not yet have a mobile phone.
I gave them my number for “Login Approvals.” But not my real, everyday iPhone number…I added a “DumbPhone” to my family plan. For $10.99 extra a month – I have an additional line just for “social networking!” Imagine that!
As far as Bruce Schneier featured as a “curmudgeon” – huh, Bruce resembles that well! He is on my daily security read-a-thon (along with Brian) highly respected security experts 🙂
BTW, Brian can be quite the “curmudgeon” too. Imagine that!
I’ve never used fb or twitter, sometimes I may feel as if I am missing out on something, but not often.
The hardest thing I’ve found about not being on these ‘services’ is convincing others that I’m not, some, like my gf and my boss, seem to take it as an insult.
I heard a statistic that 600 million people are on FB … translation several billion are NOT.
There are people who (falsely) assume EVERYONE is on a particular service, so they react like a co-worker who gets a phone survey she is not interested in responding to.
Survey “What is your favorite TV show?”
Co-worker “We do not have a TV set in our house.”
When we look at national statistics, it is plausible that a handful of households do not have a TV set, but generally when we hear someone saying like my co-worker, the natural assumption is they are telling a lie.
There are people on some networks, who assume EVERYONE is on those networks, EVERYONE has a mobile phone, EVERYONE has certain other things, which is not true. Then when someone says they are not, the second assumption is that the person must be lying.
lastpass + yubikey = you don’t want to guess my password I don’t even know it.
I have been thinking about ordering the yubikey – that sounds like a great combination.
I guess its a matter of personal preference..this feature should give protection for at least to those Facebook savvy users
Totally crazy. Even my former colleagues are either “clueless” or totally assimilated into Facebook. In general with social media what I see is communication has ground to a halt.
It’s all just cognitive dissonance. So trying to get through the noise to help people understand what is going on is next to impossible. They don’t want to listen.
Thats the biggest problem with “consumers using the internet these days”. They think since they have been surfing the web for a few years and have a Facebook thing going they know it all.
i tried to enter my cell phone (tracfone) on facebook prompt. now when i try to open my facebook page, i’m asked to enter my cell phone – however i did receive a facebook confirmation code. right now i can’t access facebook – any suggestions on what i need to do
FB doesn’t have enough personal info from people? Now they want your phone number?? Anyone who gives it to them isn’t very smart, security my A$$! F— Facebook!!