Arturo Bejar, who used to lead the security team at Yahoo!, has revealed that Facebook has been struggling to prevent accounts from being hijacked.
We’re also starting to introduce Two Factor Authentication, a new feature to help prevent unauthorized access to your account. If you turn this new feature on, we’ll ask you to enter a code anytime you try to log into Facebook from a new device. This additional security helps confirm that it’s really you trying to log in.
First, it’s great to see Arturo writing publicly. Second, he leaves out details about the “code”. Will he advocate for the same “seal” system as Yahoo!, which was (I can explain, if you ask for details) begrudgingly modeled after financial services sites?
Here’s my suggestion. Facebook, unlike Yahoo! or the financial services sites, has a wealth of second-factor data to mine and manipulate for this system. The code could be represented as a six-by-six block of images from a user’s friends during login. It might look something like this image that I totally just invented from scratch and off the top of my head:
A user then has to correctly identify three people they know in the images by name in order to login (the other six are random). If they don’t recognize their own friends, they are denied access. Aha! Oh, wait, that would mean Facebook users would have to know the people they are “connected” to or have legitimate information in their profile…meh, nevermind.
Also, I noticed that Yahoo! now lets users login using a Facebook or Google ID. Facebook could also address this issue by requiring users to login using their Yahoo! or Google ID, since those sites both already offer two-factor authentication. I’m kidding of course. Google would never allow a user ID to be federated with Facebook.