Facebook is adding new authentication and encryption features to improve security.
Facebook is rolling out two
new features to add an extra layer of security for users.
Part one of that layer is a
new authentication scheme, dubbed "Social Authentication," which is meant to
keep attackers from hijacking accounts; part two rests with giving
users the ability to secure their entire Facebook session via HTTPS.
Both capabilities were
reportedly used in the response
to a government crackdown
on dissidents in Tunisia, where authorities were
believed to be deleting Facebook accounts. The civil unrest culminated in
former Tunisian President Zine El Abindine Ben Ali fleeing the country Jan. 14.
With Social Authentication,
users would be required to identify photos of their Facebook "friends" before
they can log in if their accounts are suspected to have been compromised.
"Traditional captchas have a
number of limitations, including being (at times) incredibly hard to decipher
and, since they are only meant to defend against attacks by computers,
vulnerable to human hackers," blogged Alex Rice
a security engineer with Facebook. "Instead of showing you a traditional
captcha on Facebook, one of the ways we may help verify your identity is
through social authentication. We will show you a few pictures of your friends
and ask you to name the person in those photos. Hackers halfway across the
world might know your password, but they don't know who your friends are."
A spokesperson for the
company said social authentication has been in the testing phase for months and
will now be rolled out to users in the coming weeks. The feature is the
latest of a
number of changes
Facebook has made in the past year to improve account
security. For example, the social network added features like remote log-out
and a one-time password for people using public machines.
"The vast majority of people
who have used Facebook have never experienced a security problem," Rice added.
"However, if we detect suspicious activity on your account, like if you logged in
from California in the morning and then from Australia a few hours later, we
may ask you to verify your identity so we can be sure your account hasn't been
The ability to protect
Facebook sessions with HTTPS, Rice blogged, is aimed primarily at users
accessing the social network from public places such as schools, libraries and
airports. Encrypted pages may take longer to load, thereby making Facebook run
slower, he warned, and many third-party applications are not yet supported in
The option can now be
enabled under the Account Security section of the Account Settings page. The
HTTPS feature will offer users protection against the Firefox extension Firesheep,
which was released in
October. The tool, released at the ToorCon 12
conference in San Diego, can be used to hijack unencrypted sessions
on Facebook, Twitter and other Web 2.0 sites.
uses HTTPS whenever your password is sent to us, but today we're expanding its
usage in order to help keep your data even more secure," Rice blogged.
"We are rolling this out
slowly over the next few weeks, but you will be able to turn this feature on in
your Account Settings
soon," he added. "We hope to offer HTTPS as a default whenever you are using
Facebook sometime in the future."