Two new security features, App Passwords and Trusted Friends are designed to help Facebook users regain control over their accounts even if they are compromised and protect themselves from malicious third-party apps
Facebook is testing out two new security features to help
users protect their accounts from being compromised by malicious third-party
apps or hackers.
In an Oct. 26 blog post, the social networking giant
unveiled the "trusted friends" feature to help users regain control
of their account and application passwords to prevent malicious third-party
apps from accessing account data. The features will be rolled out to users over
the "coming weeks," according to the Facebook security team.
Facebook has rolled out a number of security tools recently,
including Login Approvals, Login Notifications and One-Time Passwords. It's
also developed back-end systems to block spam from user accounts, malicious
links from being posted on the Wall and stop potential cross-site scripting
attacks, according to an infographic the team posted on the blog. Even with the
measures in place, over 600,000 accounts are compromised each day, according to
In the grand scheme of things, that's not a lot, as Facebook
has more than 1 billion logins per day, and 600,000 is less than 1 percent, or .06
The first new feature, trusted friends, is for account
logins. When a user is unable to log in to the account, for whatever reason, Facebook
sends the unlock code to designated "trusted friends" that can be
forwarded to the user to log back in. In Facebook's words, if the user is locked
out of the house, the user can now go to a friend who has the spare key. Users
can designate three to five friends as trusted. The "Forgot your
password?" process will continue to allow users who've lost their password
to reset and log back in.
Facebook said the new system would help users when the
account has been hijacked and they can't get into email.
Graham Cluley, senior technology consultant at Sophos, wrote
on the Naked
blog that users would have to keep an eye on "trusted"
friends to ensure they aren't prone to playing practical jokes. While the
system is set up so that each friend is sent only a single code, it was
possible they could still band together to access the account, Cluley said.
Users should also "be pretty confident" the friends take computer security
seriously, as well.
Even if the friends are trustworthy, it seemed like a
logical first step for an attacker to change the trusted friends setting as
soon as the account has been hacked.
"If a bad guy has taken over your Facebook and email
account, isn't it likely that he will also change who your trusted friends are
at the same time? Wouldn't that make the whole security measure kinda pointless?"
Cluley told eWEEK
The other feature, App Passwords, provides a higher level of
security for logging in to third-party applications. Many Web applications and
services, such as Spotify music service and Skype messaging service, allow people to log in using Facebook
credentials. With this option enabled, Facebook can generate unique passwords
that can be used as part of the login process, as opposed to using the normal
credentials. Since it's "certainly a good idea" not to use Facebook
credentials with anyone other than Facbook, this is a good privacy option for
the site to offer, Cluley said.
If the user ever decides to stop using the app, it's just a
matter of deleting the password from within Facebook. Once the password has
been deleted, the app can't access account data.
The security benefits may be limited, as "it's not hard
to predict that the only people who might use such a feature might be those who
are already very aware of privacy issues, rather than the great unwashed
majority on Facebook," Cluley said.