Facebook Pushes Social Authentication, HTTPS to Bolster Security

Facebook is adding new authentication and encryption features to improve security.

Facebook is rolling out two new features to add an extra layer of security for users.

Part one of that layer is a new authentication scheme, dubbed "Social Authentication," which is meant to keep attackers from hijacking accounts; part two rests with giving users the ability to secure their entire Facebook session via HTTPS.

Both capabilities were reportedly used in the response to a government crackdown on dissidents in Tunisia, where authorities were believed to be deleting Facebook accounts. The civil unrest culminated in former Tunisian President Zine El Abindine Ben Ali fleeing the country Jan. 14.

With Social Authentication, users would be required to identify photos of their Facebook "friends" before they can log in if their accounts are suspected to have been compromised.

"Traditional captchas have a number of limitations, including being (at times) incredibly hard to decipher and, since they are only meant to defend against attacks by computers, vulnerable to human hackers," blogged Alex Rice, a security engineer with Facebook. "Instead of showing you a traditional captcha on Facebook, one of the ways we may help verify your identity is through social authentication. We will show you a few pictures of your friends and ask you to name the person in those photos. Hackers halfway across the world might know your password, but they don't know who your friends are."

A spokesperson for the company said social authentication has been in the testing phase for months and will now be rolled out to users in the coming weeks. The feature is the latest of a number of changes Facebook has made in the past year to improve account security. For example, the social network added features like remote log-out and a one-time password for people using public machines.

"The vast majority of people who have used Facebook have never experienced a security problem," Rice added. "However, if we detect suspicious activity on your account, like if you logged in from California in the morning and then from Australia a few hours later, we may ask you to verify your identity so we can be sure your account hasn't been compromised."

The ability to protect Facebook sessions with HTTPS, Rice blogged, is aimed primarily at users accessing the social network from public places such as schools, libraries and airports. Encrypted pages may take longer to load, thereby making Facebook run slower, he warned, and many third-party applications are not yet supported in HTTPS.

The option can now be enabled under the Account Security section of the Account Settings page. The HTTPS feature will offer users protection against the Firefox extension Firesheep, which was released in October. The tool, released at the ToorCon 12 conference in San Diego, can be used to hijack unencrypted sessions on Facebook, Twitter and other Web 2.0 sites.

"Facebook currently uses HTTPS whenever your password is sent to us, but today we're expanding its usage in order to help keep your data even more secure," Rice blogged.

"We are rolling this out slowly over the next few weeks, but you will be able to turn this feature on in your Account Settings soon," he added. "We hope to offer HTTPS as a default whenever you are using Facebook sometime in the future."