Facebook users are now better protected from unauthorized password changes and suspicious logins thanks to a new set of security features. The first: if a user enters an old password that has since been changed, Facebook now tells the user when the password was changed and asks if the user remembers doing so. If they don’t remember, they are asked to verify their identity, and are prompted to reset their password or use the hacked account self-recovery tool.
The other change: if an account is logged into from somewhere distant from its usual login location, the person accessing the account will also be brought through the identity verification flow which instead of changing passwords involves identifying friends in photographs.
However, it’s not perfect. Some users have friends they can’t recognize by photo, or are prompted to identify people in photos that only include logos, pets, or other indistinguishable images — and they have been mistakenly locked out of their accounts by this identity verification method.
As Facebook has grown to more than 500 million monthly active users, it has faced more and more identity-focused attacks. One way users lose control of their Facebook accounts is by visiting phishing sites which looks like Facebook’s login page but are really hacker-designed pages made to trick users into providing their login emails and passwords. Once they have access, these hackers change the password, stranding the account’s legitimate owner. Now, instead of confusing a user by telling them their password is incorrect, Facebook recognizes that they are entering an outdated password, and notifies them of the date that the password was changed. This will either remind the user that they in fact changed it themselves and can login with the new password, or that it was changed without authorization and they need to recover their account.
The other change is more visually interesting. Simon Axten of Facebook explained to us when the last round of security features was added in May that logins from distant locations in a short period of time trigger Facebook’s security system. If a Facebook user almost always logs in from California, and their account is suddenly accessed from Singapore, the user might just be on vacation, but their account may have been compromised. The verification flow can be a nuisance to frequent travelers, but helps protect users from having their account stolen from overseas.
If a login attempt triggers the location-driven security features, Facebook needs to verify the user is the original owner of the account before allowing them access or the ability to create a new password. The answers to typical security questions used by most websites might be found in a hacked user’s profile info or email records, so Facebook utilizes the user’s own social network to create a verification system that is hard to fool. Users are shown a profile picture of a friend, and given six names of who the photo could be. Out of seven photos they can only skip two and must not answer any incorrectly. While gender can be used to disqualify some incorrect answers, unless the hacker is within one’s social circle, it is unlikely they would be able to pass the test.
While this security feature is innovative, it can cause problems because profile pictures do not always show the face of the user they represent. Childhood photos, favorite sports teams, celebrities, landscapes, and pets are often used as profile pictures. If more than two of these indistinguishable photos are included in a user’s verification questions, or if they wrongly guess which friend has a Boston Red Sox logo as their pic, a user can be denied access to their account. Some users also have many friends they can’t recognize by face, such as those they meet on forums or while playing social games. This security feature could reduce erroneous account suspensions and lock outs by only asking users to identify people that they have been tagged in photos with, and by using photo recognition software to ensure test photos always include a human face.
Users can learn all about safety on Facebook at the new Safety Center page, which includes instructions for recovering accounts, and sections for general users, teens, parents, educators, and law enforcers.