Facebook added two factor authentications, anti-cross-site scripting detection, CAPTCHA prompts to stop clickjacking and safe Web link surfing to protect user accounts.
Facebook rolled out three new security measures to try to
prove that it cares about user privacy.
The social networking site now features two-factor
authentication to secure the login process, a secondary step to thwart
clickjacking scams and a new surfing tool to rate the safety of links, Clement
Genzmer, a Facebook security engineer, wrote on the Facebook
blog that appeared May 12. Clickjacking refers to tricking users
into clicking on links that post on the Wall to get more people to click and is
one of the most common sources of spam on Facebook.
"Facebook is committed to bringing you a safe experience on
the Internet," Genzmer wrote.
The latest announcement is a "welcome" sign, since the
features prevent, or actively discourage, users from doing certain things while
on Facebook, Paul Ducklin, head of security at Sophos, wrote on the Naked
"In the past, Facebook has seemed curiously reluctant to do
anything which might impede traffic. Let's hope that everyone at Facebook has
accepted that reduced traffic from safer users will almost certainly give the
company higher value in the long term," Ducklin wrote.
Login Approvals, the two-factor
, is an optional feature for all Facebook users,
Andrew Song, an engineering intern, wrote on the Facebook
blog. The company hinted at this feature back in April. Users
who turn on Login Approvals will receive a numeric code via text message on
their cell phones whenever they try to log in to the site from a new or
unrecognized device, according to Facebook's Genzmer. The user would have to
enter that code before gaining access to the account. The challenge will
request the code sent to the phone for every login attempt made from a device
the user hasn't designated as "safe."
"While someone may have known your login credentials, he or
she was unable to access your account or cause any harm," said Genzmer.
If the user loses the mobile device, the user will have to
log in from a saved device to reset the phone number and prevent account lockout,
according to Song.
Developers had to balance security and usability when
building Login Approvals, according to Song. Similar schemes on other Websites
require you to download authentication apps or purchase physical tokens to act
as the token-id generator.
While the approach works and Facebook is considering them
for future implementation, the site wanted to have the "biggest impact" and
decided to use SMS messages as the best option for the second factor in the
authentication process, Song said.