In association with heise online

13 May 2011, 16:19

Facebook adds two-factor login and other security improvements

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Facebook security Facebook has announced a number of security improvements: users can now have access codes for new devices sent to them by SMS and technical changes have been implemented to combat the troublesome Facebook worms that have repeatedly spread throughout the social network. Facebook aims to limit the distribution of links to fraudulent spam and trojan web sites by working with the community-based Web of Trust.

For some time now, users have been able to change their settings so that Facebook remembers which devices they use to access the social network; the user would receive an email notification if a new device was used that had previously not been linked to that account. Now, life has been made a bit harder for account thieves: users who have registered a mobile phone number and activated two-factor authentication are asked to provide a security code along with their password when they log in from a new device for the first time; this security code is sent by Facebook to the registered mobile phone number by SMS. The exact function is not clear, but protection likely only extends to attacks made through the main user login point. Backdoors such as the access tokens and OAuth access credentials used by apps to access Facebook accounts will probably not be affected.

In addition, Facebook is having another go at getting the rampant like-jacking (aka click-jacking) under control. To fall prey, all a user has to do is click on the wrong button and messages will be sent to all "friends" without the user realising it has happened. The announcement does not say exactly how this protection works, but merely explains that Facebook will ask you whether you really want to continue what you are about to do if something "suspicious" is detected. This formulation is not new, and previous related attempts clearly did not eliminate the problem.

Facebook also plans to tackle cross-site scripting, which sometimes – but not always – comes in the form of JavaScript code within a URL. Facebook will now recognise such attacks and warn users. And finally, Facebook has announced it will be working with Web of Trust (WoT), a project in which the community rates the trustworthiness of web sites. A special browser plug-in, which is now available for all major browsers, not only allows users to easily assess trustworthiness, but can also show which dangers might be behind results in a Google search, for instance. At some point in the future, Web of Trust will apparently also filter links shared within Facebook.


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit