The social networking giant has introduced a new way of securing your identity online with a social authentication feature, but will it catch on?
More than half of us are on Facebook. It’s official. Your mum’s on it, your Grandad’s on it, even your dog’s got a profile up there.
Facebook last week announced that it had reached 30 million members in the UK alone – an impressively large number that shows no sign of slowing.
This is despite repeated criticisms about privacy and security settings on the site, and even more worryingly, the hijacking of founder Mark Zuckerberg’s account earlier this year.
At first the website issued no statement on how this was done, whether Zuckerberg was careless with his password, phished or sidejacked (which can happen when you access your account away from home using a shared network.) However, later it said the message had been caused by a bug.
Social authentication – a new kind of security?
Not unsurprisingly, the website has made efforts to step up security in the last six months – but even these latest measures have been given the thumbs down by online security experts, as well as Facebook’s users.
Social authentication, designed to kick in if your account has been accessed in one too many places in too short a time using geotagging software, will ask a user to look at a selection of photos of their friends and identify them. Having ticked the correct box out of a multiple selection of names, the user, if correct, will then be able to access their account. If incorrect, the user is frozen out of the account.
It is more effective than the widely-used CAPTCHA method, Facebook says, because that only protects against a computer hacking an account.
“Other verification methods used elsewhere on the web, for example, the scrambled ‘word in a box,’ or CAPTCHA, are designed only to ensure that a human is logging in, and not a computer. By asking questions that only the account owner would know, social authentication goes a step further by verifying that the human is the rightful owner of the account,” a spokesman told I4S.
So far, so good. So, will we start to see this type of ‘social’ security catch on in other areas of the internet?
“A cute and silly idea”
Bret Sigillo, director of professional services for online security software company Vigilant Corporation, doesn’t think so.
“If we introduced this sort of security to our clients they would kick us out. They would say ‘you’re nuts.’”
He says Facebook’s latest move is just a “cute and silly” idea. In fact, he tells I4S, it is just another way to get users to connect to the brand.
“It’s a cute and sexy way of allowing you to safeguard information, but it’s really about Facebook’s brand –connecting people back to what the brand is all about – social networking,” he says.
Actually, the claim isn’t denied by the social bods over at Facebook.
“At Facebook we strive to put people at the center of all of our products and to design every experience you have on the site to be social,” a spokesman said.
“This is obvious in products like photos, where pictures are organised around the people that appear in them. We also want to bring the benefits of social design to experiences where you wouldn’t traditionally expect them, like account security. Social authentication is our latest effort toward this goal.”
For privacy reasons, the photos have already been tagged and, presumably, the person in that photo is aware that they are tagged. The photos used will also be ones that you, as a user, will have been “allowed” to view by the person that has been tagged.
Two-factor security – something you know and something you have
But if Facebook really cared about its users, Sigillo says, it would implement two-factor security to the site. This would mean the user is asked for “something they know and something they have.” It is the safest way of protecting an account on the internet, from accessing bank details to trading on the web, he says.
For example, as well as set of passwords – a user might be given a physical token, or an ID-card.
However, the costs of implementing and supporting security measures like this globally for a free site like Facebook don’t even bear thinking about. Even now, Facebook users have to rely on emailing the support team with any concerns. There isn’t a dedicated call centre, like for example, you have with a bank, or if there is – it’s a very well-hidden number indeed.
Not to mention the fact that consumers and users like you and me need our social networking to be easy –that being the whole lure of social networking.
However, it doesn’t look like this social authentication idea is that simple to use either. Responding to Facebook’s press release about its latest move, user Jon Hanna raised a pertinent example of where a genuine user might have problems:
“ ‘Hello user. Here is a picture of a bottle of foreign liquor that got tagged as one of your friends. Tell use which friend to continue. No? How about this picture of a cute cuddly toy? No? Okay, here’s a book tagged only with the names of people who contributed to it. Oh, you know several people who contributed to it. Okay, here’s a picture of a kitten. Okay, you’re clearly not really you.’
(All the above examples based on real tagged pictures. Even if I wasn’t desperately bad at faces, I wouldn’t have a chance).”
And, to throw a further spanner into Facebook’s prolific works, user Perdita Stevens has a condition that means she is unable to recognise faces easily.
The user, who according to Facebook works at the University of Edinburgh, said:
“I’m prosopagnosic, i.e. can’t recognise faces well, and would fail this authentication test even if you used my closest friends or family members. Prosopagnosia is actually pretty common. Do consider us!”
Is your security ultimately down to you?
Of course, social authentication isn’t the only way Facebook is protecting its users. A spokesman tells me about a whole “host” of other advanced tools available to people to help them stay in control of their accounts and information, including login notifications, which allows you to save the devices you use to access Facebook and be immediately notified by both email and SMS whenever your account is accessed from a device you haven’t saved.
The site also offers a one-time passwords feature, which allows you to text Facebook for a one-time use password to be sent to your phone to better secure your account when accessing it from a public computer.
But while there are measures to be taken, it seems as if rather than a user’s security being looked after solely by Facebook, it is really down to the user to manage for themselves.
Yet how many of us can profess to have read all of Facebook’s latest posts about new security measures that you can implement on your account? And have you ticked the little box provide on the site that allows you to access the website through the more secure HTTPS route?
And it is not just Facebook or other social networking sites where users may be walking into a minefield of cyber trouble – this applies to any time you put personal information onto the internet. It seems the only way of ensuring you are protected is by taking matters into your own hands and thereby owning your internet experience.
Educating the internet user
One security company that has already taken this view is US firm, Webroot. The company, which designs and supplies cloud-based security software, says that first and foremost a user must be armed with the information they need to protect themselves online. Part of its work is to advise its clients on how best to create complex passwords.
A good password need not be a random selection of letters and numbers that are difficult to remember, David Bennett, who is the director of EMEA consumer business development, tells I4S. Rather, the password should resemble a word or a sentence that means something to a user, or is catchy. So, ‘the cat sat on the mat’, for example, could be reworked to look like:
This might prove to one (free) and workable answer to improving password security, he says. “Choose a combination of upper case, lower case and numbers that form the beginning letters of a short, memorable sentence to guarantee passwords keep you secure,” he warns.
This comes after research conducted by the company last year found that out of 2,500-plus people surveyed, two in 10 used a significant date, such as a birth date, or a pet’s name as a password – information that’s often publicly visible on social networks.
It found that younger internet users were the most likely group to be lax over its passwords. However, older users, aged 29 and up, were also found to have bad online habits, such as using the same password for more than one account or site.
The bigger picture
Whether the idea of leaving your personal security in the hands of a website is something that keeps you awake at night or not, it highlights the ever-present and growing concern about security online.
The UK Government has just pledged £65 million towards research in this field, and barely a week seems to go by without us hearing about someone’s Twitter or Facebook being hacked.
Ultimately, Sigillo says, online security needs regulating. It’s not a case of if, he says, but when: “We need regulators to step in to protect the public. They will do it. But slowly so they won’t interrupt commerce.”