Facebook's new security method: Can you beat it by Googling the names?
Updated 11:16 a.m. with Facebook's response, bottom.
Facebook has announced it is testing a new security measure: It will show potential hackers photos of your friends.
To explain: An often-used security and anti-spam technique called "captcha" requires the user to enter a string of words and numbers that a computer would have trouble identifying. (See image at right.) This is to prevent computers from automatically guessing a dictionary full of passwords in an attempt to access your account.
Facebook, which has for years been among the leading innovators in social media, wants to create a more personal authentication system where, instead of typing in words, you can prove who you are by identifying pictures of your friends.
If Facebook has reason to doubt that it's really you using your account -- like if it finds your account has been accessed from Los Angeles and then Buenos Aires a few minutes later -- you could be shown a series of photos of friends' faces and asked to match the face to a multiple-choice list of names, as in the example provided by Facebook below:
"Hackers halfway across the world might know your password, but they don't know who your friends are," Facebook says in the blog post announcing the method.
But wait, couldn't a hacker or intruder just Google all six names and hope that one of them would turn up a photo of the anonymous person in the security challenge? Not everyone has photos posted online these days, but almost everyone on Facebook does.
And for a company that has repeatedly said it is renewing its commitment to user privacy, isn't it a bit odd that Facebook is using personal information -- photos and names -- to quiz the very people whom you would least want to have that information? Do people want their photos shown to "hackers halfway across the world" -- with a multiple-choice list of names so short that it would be fairly easy to pair a name with the face, either by guessing or by Googling?
It seems hackers bent on guessing the right name could even make a few educated guesses based on the appearance of the person pictured, allowing them to, say, move a name such as "Ivan Lucuk" to the bottom of the guess list.
(From the image above, however, it seems you'd have to guess correctly for several photos, rather than just one.)
In its announcement, Facebook gave few details of how the system would work or whether additional safeguards would be built in. But the company did note that it "will continue to test social authentication and gather feedback from you and the security community on how to make this and other social features safe and useful."
Facebook Privacy and Public Policy manager Simon Axten has responded to some of these questions:
On the issue of using Web search to match a name to a photo: "Many photos on Facebook contain multiple people, which makes what you describe more difficult. I'd also argue that for many people, it's not as easy to find a photo through a simple web search as you suggest. Finally, most attackers log in to people's accounts to send spam and make money. Anything that adds significant friction to that process, which this clearly does, is usually effective at stopping the bad behavior. We've been testing this feature for several months now and have found it to be very successful at authenticating true account owners and keeping bad actors out.
On showing friends' photos to potential intruders: "We only show this small number of tagged photos to which the account owner has access after the person has provided correct login credentials for the account. Stated differently, the person has to already know your email address and password to see them. If we didn't do any kind of security check, the person would log in and have access to a much wider set of information – and information that's more sensitive in nature.
Also, we only do it some of the time, typically when we can't verify the person's identity through some other means, such as by asking for an answer to a security question (in the case that the person hasn't provided one), or by sending a code via SMS (in the case that the person hasn't registered a phone number with Facebook).
The test is meant to confirm that the person attempting to log in to the account is in fact the account owner. If the person fails, we don't allow the login, and that small number of photos is all he or she sees. We think this trade-off is worth it to protect the account without shutting out the real account owner completely, if the login is legitimate."
Axten argues that "for many," it's not easy to find a photo of someone by simply search for their name. To all the casual and not-so-casual online stalkers out there, please let us know in the comments if that accords with your experience.
-- David Sarno [@dsarno]