Facebook's New Security Feature Puts Friends First
May 3, 2013 5:00 AM PT
Have you forgotten or lost your Facebook password? Relax. You can now turn to friends for help.
Facebook on Thursday rolled out Trusted Contacts account recovery, a feature it has tested with a limited number of people as the Trusted Friends capability since 2011.
Users can select three to five trusted contacts from their security settings at any time. These contacts should be available via phone or in person.
"This is another option for you in terms of a security setting if you're ever locked out," Andrea Ragni from the Outcast Agency, Facebook's public relations representatives, told TechNewsWorld.
This feature could be helpful when a user suffers a mass compromise, meaning he or she loses access both to email and other accounts as a direct result of malware infestation, said Bogdan "Bob" Botezatu, senior e-threat analyst at Bitdefender. "However, these cases are rare, and most users lose access only to specific accounts in targeted phishing schemes."
How Trusted Contacts Works
Once users go into their Facebook Security Settings and select three to five people as trusted contacts, Facebook notifies those people.
When users can't log into their Facebook accounts, they can turn to their trusted contacts for help. Each contact will get a security code with instructions on how to use it. Users need security codes from three trusted contacts to recover their Facebook accounts.
"When there's a problem, Facebook will generate an URL dynamically and the user's trusted contacts go into their own personal security settings and find the URL," Ragni said. The URL will give the contact a code and instructions on what to do with it.
Users whose accounts have been hacked have to report this to Facebook first, she added.
Will Trusted Contacts Work?
The Trusted Friends feature, which is the basis for the Trusted Contacts capability, was tested by only a small group of people, Ragni said.
Therein lies a potential problem. It's likely the initial group was only testing the feature for logic flaws, Bitdefender's Botezatu told TechNewsWorld. However, "the true power of a feature is only visible if it is able to prove effective in real-life scenarios."
On the other hand, the requirement that the user have three codes in order to recover an account "makes this relatively safe, especially if the three contacts don't know each other," he said. "It's not like giving the keys to the kingdom to a single person."
The Rule of Three
Another safety feature: Facebook lets users delegate up to five trusted contacts but requires only three keys, Botezatu said. That way, if one or two of the contacts' accounts have been hacked, the required three keys will still be available.
"Of course, if an attacker manages to seize control of the accounts of at least three people delegated as trusted contacts for another account, this will likely result in the last account being compromised," he noted. "However, I believe that the statistics weigh in favor of security rather than insecurity."
A security measure suggested for public-facing sites such as Facebook and Twitter is two-factor authentication. This requires two items for identification -- something a person knows, such as a password, and something a person has, such as a token or, in the case of Google, a code that Google will send to the user's mobile phone.
However, two-factor authentication is "relatively hard" to achieve nowadays without specialized hardware, Botezatu said. Most two-factor authentication mechanisms rely on SMS messages or the generation of one-time passwords through a mobile application.
In the case of Facebook, "both the Facebook application and the second factor of authentication reside on the same device, which pretty much defeats the purpose."