New Facebook security systems focused on preventing unauthorized logins are now active in the Account Settings -> Account Security panel.
Outlined in a post to the official Facebook Blog, these tools come amidst a storm of criticism over privacy and security flaps regarding exposed chats and user data scraped from instant personalization which we addressed in a comprehensive guide to Facebook’s latest changes last week.
The features are designed to “help people keep track of their Facebook logins and keep malicious actors out of their accounts,” according to the company. The first system allows users to register the devices from which they access Facebook, and receive notifications by email or text if their accounts are accessed from an unapproved device. From these alerts, users can reset their password and remove devices from their authorized list, which requires devices to re-register on their next login.
However, this feature only functions for logins to Facebook’s full site. Logging in from Facebook Mobile, Facebook Touch, or the official Facebook iPhone app does not require device registration, and no record of the log ins appear in the user’s Account Security panel. Facebook needs to record and notify users of log ins to all versions of the site for this system to truly provide a more secure experience.
To prevent unauthorized logins before they occur, Facebook will now ask additional security questions to authenticate a user’s identity if they are accessing the site from a device deemed “unusual”. We’ve contacted Facebook asking them to clarify exactly makes a device “unusual”, and we’ll update this story when we receive a response. Questions used to verify that the person accessing the account is the true owner include identifying the name of a friend in a photo, giving a birthdate, or even more personal questions as seen below.
Update: Simon Axten from Facebook’s Privacy and Public Policy team clarified for us how the new verification question tool is triggered. “We show the extra verification step when the login is coming from a device that isn’t typically used to access the account, or from a location that seems unusual based on recent or normal activity. For example, if someone logs in from Palo Alto, CA, and then several hours later, from a location halfway around the world, we’ll block access and ask for additional authentication.”