Facebook announces new security features in honor of Data Privacy Day 2011

Jan 28, 2011 12:06pm

By Michael Kaiser, NCSA Executive Director

This will be the first in occasional posts about the value of “baking in security” to our everyday Internet experience.

At NCSA we have always framed cybersecurity as a combination of tools and behavior. We advocate for users to do the most they can to take control of their online lives and stay safe online. We also like to point out when web service providers, and by this we mean a broad spectrum of websites, services, and places people interact online, lead the way by integrating new security methods and technologies to make their services and thereby the entire Internet safer. 

In honor of Data Privacy Day 2011, Facebook announced two new security features. One brings a common and well known feature to Facebook and another should help evolve all our thinking about security.
The first is the availability of https across most of the Facebook platform.

What does that mean?

When you see https in a web address such as https://www.yourfavoritewebsite.xyz it indicates you are using a secure connection with that website. When using https you may have noticed a small "lock" icon appear in your address bar, or that the address bar has turned green (depending on your browser). If you want to use this added security you will need to go to your account settings page and click a box under account security. By the way, while you are there you will see a box that allows you to receive an email when a new computer is used to access your account. This is also a good security feature to consider. If someone tries to access your account from a new computer (and this could be you if you are logging on via a computer of mobile device you don’t normally use), Facebook will notify you. Facebook has a video on these features

The second feature and the one that really demonstrates the concept of baking it in is “social authentication.” Authentication is the way you prove who you are. In most cases on most websites, that means providing a logon and password. In some cases, you may be asked to repeat the letters of phrase you see in a box to continue what you are doing known as a captcha box.  And while this does add a level of security, this type of authentication is really designed to prevent machines from say registering millions of email address or sending millions of other kinds of requests. More secure authentication asks you to provide something known to you that’s unlikely to be known by anyone else that proves you are who you say you are. The “social authentication” on Facebook will show you a few pictures of your friends and ask you to name the person in those photos. Now if you given your password and log on to anyone who knows you and your friends this won’t make you anymore secure. Since we are assuming you wouldn’t ever do that, you can see how this would make it difficult for a hacker to overcome this obstacle and access your account. It’s a way to protect yourself without learning anything new or technical. This feature is being rolled out as a test and it’s not clear when you will be asked to “socially authenticate.” Still getting users comfortable with new authentication techniques meets our definition of “baking it in.”

For further information on https and to see what “social authentication” looks like, see the announcement post on Facebook

These two efforts by Fcebook to “bake it in” are exactly what we need others to embrace as well.
Look for more in this series in the future.