Facebook adds two-factor login and other security improvements
Facebook has announced a number of security improvements: users can now have access codes for new devices sent to them by SMS and technical changes have been implemented to combat the troublesome Facebook worms that have repeatedly spread throughout the social network. Facebook aims to limit the distribution of links to fraudulent spam and trojan web sites by working with the community-based Web of Trust.
For some time now, users have been able to change their settings so that Facebook remembers which devices they use to access the social network; the user would receive an email notification if a new device was used that had previously not been linked to that account. Now, life has been made a bit harder for account thieves: users who have registered a mobile phone number and activated two-factor authentication are asked to provide a security code along with their password when they log in from a new device for the first time; this security code is sent by Facebook to the registered mobile phone number by SMS. The exact function is not clear, but protection likely only extends to attacks made through the main user login point. Backdoors such as the access tokens and OAuth access credentials used by apps to access Facebook accounts will probably not be affected.
In addition, Facebook is having another go at getting the rampant like-jacking (aka click-jacking) under control. To fall prey, all a user has to do is click on the wrong button and messages will be sent to all "friends" without the user realising it has happened. The announcement does not say exactly how this protection works, but merely explains that Facebook will ask you whether you really want to continue what you are about to do if something "suspicious" is detected. This formulation is not new, and previous related attempts clearly did not eliminate the problem.