It seems the month of October is the month for giving users more online security options. Similar to my previous post on Google enhancing authentication to Google Apps, now Facebook has made available more online security options to end users surrounding authentication. Both Google and Facebook should be commended for investing in making their sites more secure. Yet, each has addressed a different online authentication challenge. Additionally, both have left it up to the end user to use or ignore their security enhancements.
In a blog post this month, Facebook has informed users there are now two new online security features they can use to manage the security surrounding their accounts. Yet, dissimilar to what I captured on Google’s focus, Facebook is addressing two different security challenges:
- Ability to terminate previously logged in but not logged out sessions
- One time logon password for use on “untrusted” computers
Ability to terminate previously logged in but not logged out sessions
For end user convenience, Facebook allows users to stay logged in to Facebook even after closing a web browser and rebooting a PC. Facebook uses basic web browser functionality to store a disk based “cookie” (named “isfbe” to be exact) to be retrieved the next time that browser accesses Facebook. Upon return to Facebook, the disk based cookie is provided to Facebook and Facebook automatically logs in the user. The convenience is great, but the problem it creates: what if you borrow a PC, logon to Facebook and then forget to logout when you are done? The next user that borrows that same PC and accesses Facebook is automatically logged into Facebook as you.
To help with this security challenge, Facebook has provided additional screens to view your logon history or “Account History” and next to each logon session that did not explicitly logout, provides an “end activity” link to terminate that open session:
Once a session has had its activity ended, the borrowed PC problem above is solved. The next user who borrows the PC and accesses Facebook is not automatically logged in as you, but rather, is prompted to login. Facebook, upon retrieving the “isfbe” cookie, now matches that cookie’s session with the user’s “Account Activity” before automatically logging the user in. If a user indicated that session should be ended, Facebook ignores the “isfbe” indicated session and provides the browser with the login screen forcing the start of a new session.
Prior to this enhancement, remaining logged in on a borrowed PC could only be corrected by having physical access to the borrowed PC again to logout or wait weeks for Facebook to finally force that session to re-authenticate. Both of these previous options are not particularly optimal. This “remote logout” capability allows the user to address this problem remotely.
One time logon password for use on “untrusted” computers
Similar to Google’s addition of one-time passwords sent to account registered mobile phones (explained in more detail in my previous post), Facebook has added the ability to use a one-time temporary password sent to your mobile phone but with a twist. This twist is to enable the user to request a one-time temporary password to be sent prior to logging on to a PC or device the user feels is “unsecure”. Thus, instead of the more traditional use of multi-factor authentication:
1. Website uses a previously stored browser disk based cookie to verify if the computer or device is “trusted” by the user
2. If trusted, no additional authentication for that user
3. If not trusted, in addition to the regular password, prompt for additional authentication in the form of a challenge/security question or via a one-time password (sent to mobile phone, email or provided by a token/key fob, etc.)
Facebook has enabled the user to request a one-time temporary password to use on a device they aren’t comfortable with security-wise or isn’t “trusted” before even starting the logon sequence. The major differentiation is that last phrase “before even starting the logon sequence”. By sending Facebook a SMS text message from the mobile phone the user has previously registered with their Facebook account, Facebook will return to that mobile phone a one-time temporary password valid for the next 20 minutes.
The user, once receiving the one-time temporary password, can proceed to login with that password. If there happens to be a keylogger or some other form of user name and password harvesting malware installed on that PC, instead of giving away the user’s real Facebook credentials, the user is only giving away their one-time temporary credentials that are only valid for the next 20 minutes. Even if someone is shoulder surfing (a person visually watching what a user types in order to observably record their credentials), the surfer is not getting any effectively useful information.
From a pure security perspective, the ability to use a one-time temporary password for logging on significantly reduces the threat vector of your fixed credentials being stolen. The shoulder surfer, assuming the user surfed types their password and hits enter (rather than types it fully but waits to hit enter for some period of time), even a mentally recorded one-time temporary password is unable to be replayed because of the one-time use. Any malware that harvests Facebook usernames and passwords is rendered ineffective, again, because of the one-time nature of the password.
Both of these new security features give the Facebook user more control over their credential use with Facebook. Both require the user to be aware of the security functionality and when/how to use it. And finally, both require the user to actually choose to use the enhanced security. There is no forced security control aspect that protects the user auto-magically. Again, the user has to be aware of how they are interacting with Facebook and choose to improve their security by engaging these new features per their usage patterns. It is great to see Facebook providing these more sophisticated security options to users, but users must still be aware of how the features work, what threats they protect against and when to use them to protect themselves.