I see that Facebook has been casting around, looking for some way to enhance security.
They certainly have challenges:
- users with weak passwords
- application bugs
- advertising-supported, so cannot afford a lot of human-human account support
- user account lists circulating through partners and malicious users.
The physical world relies on either a guard who knows your face, or 2-factor authentication:
- something you know (a passphrase) and
- something you have (a token) or are (biometrics).
Web-sites usually get considerably less …
Being an Internet company that doesn’t issue X.509 certificates, on a good day Facebook can only get 1-factor authentication (a strong password), and on most days, 0-factor authentication (their users are re-using weak passwords from other accounts.)
I give them credit for adding login notifications and the “force logout” feature. Users can change their password and disconnect other users and bots from their accounts.
The next step would be enforcing strong passwords and displaying a captcha on every logon.
Beyond that, enforcing online security gets hard to tighten in a reliable manner.
I’m skeptical of their additional security attempts.
Cookies can be deleted, and IP addresses are shared in proxies or change over time. Doing SMS verification seems like a burden for a social media account user.
However when you’ve got 500 million accounts, any means of improving security or analyzing security issues saves on support costs.
Authentication: Something You Know, Have, or Are
CAPTCHA arbitrage
Thanks for your relevant and timely post with respect to enhancing security on Facebook. I have been working with a company who has pioneered some of the alternative solutions you are proposing. http://www.telesign.com
Respectfully,
TeleSign Matt