Tags

, , , , , , , ,

The concept is that two factors would be required to log into FaceBook – the password and something physical that displays a code. In this case, the something physical is the user’s cellphone, which FaceBook sends the code to. This improves the security of the login process, for which someone would have to be in possession of both the password and the right cellphone.

No doubt there will be many social network experts and others saying how this will make us all safer on FaceBook. Unfortunately it won’t provide much security or safety beyond the account login.
Proper two-factor authentication uses an algorithm and a secret code, sometimes known as a seed, to generate the secondary code. Instead, FaceBook’s proposed system might use publicly-available cellphone numbers. If enough cellphone numbers are harvested, it becomes fairly straightforward to reverse engineer the algorithm.

Again, when changing the privacy options the FaceBook team has made personal information publicly-viewable by default several times in the past, so nothing posted on FaceBook should be considered private, especially not if it’s being sold on to numerous third parties anyway. With the proposed two-factor authentication, there’s going to be the added risk of cellphone numbers ending up in the hands of spammers, marketers, cold-callers, etc.
Following the steps below is an alternative that will provide much better security:

Use a secure password: Make it long, extremely hard to guess, include symbols, change regularly, etc. Numerous other sites explain how to do this.
Avoid FaceBook applications: These demand access to the user’s profile in order to work, and clicking Yes is asking for trouble unless the application can be trusted. There are several malicious applications out there.
Use secure/SSL connections: This will secure the connection between the local machine and the FaceBook servers. It’s very unlikely anyone between those two points can determine what’s being sent or recieved, even on a shared network. Check the site’s certificate if anything looks out of place.
Delete the browser history after each session: It’s always good practice to do this anyway, especially if a shared computer is being used. If it’s a personal computer, configure the browser to delete the history every time it’s closed, and install the AdBlock and Better Privacy browser extensions.

Advertisements