Facebook is a major player in peoples online identity. They should do more to secure both you and them. They owe it to you.
For once, I think I’ll make this a brief post. But the fact of the matter is, a tweet made me think about just how important it is that Facebook provides proper security.
By the way, this is that tweet:
Glemt at logge ud? Har du en god historie hvor nogen laver status opdatering på en andens Facebook side? ow.ly/8WlDP #Facerape
— Christiane Vejlø (@christianevejlo) February 8, 2012
The thing is, Facebook already acts as a login provider. Notice how you can use your Facebook account to login to various service ? You can, because Facebook acts as an oAuth 2.0 provider. It effectively means, that if you have a Facebook account, you can use that account to log into any internetservice which lets you authenticate yourself via oAuth 2.0. Provided of course, that the service has added support for it.
Which a lot do. And I expect more will. With approximately 850 million Facebook users, there’s a very high probability that the particular service gains from adding Facebook login support.
Ok, so you go on vacation. You log in from that greek internetcafe computer. Then you leave – and forget to login. Suddenly all sorts of weirdness starts to happen. Either something really weird gets posted on your wall, or your friends start receiving weird stuff – or, you completely lose access to your Facebook account. It gets hijacked.
Sound familiar ?
What I believe Facebook should do about it
Now, on my Google Apps site, I have the option of adding two-factor authentication. What’s that ? Pterodactyl sumfumfication you say ?
It basically makes accessing your site more secure. It’s a small piece of hardware, and its sole function for existing, is to provide you with a numeric code which changes every minute, and is unique every minute. So when you login to a site protected by such technology, you enter your username and password. And here’s the kicker: The site/service/app then asks you for the verification code.
That code is generated by such a two-factor keygenerator. You may know them from using an RSA SecurID. Or Safeword. Or your NemID (Danish authentication). You enter that verification code. The next time you want to logon, you get asked again. Someone may have sniffed your username and password. They may even have sniffed out your verification code. But it doesn’t matter. Because when they want to gain access to your account, that verification code has changed. And you’re the only one who can generate a new one.
Google released both an Android and an iOS app which acts as a code generator. So instead of a physical thingymajiggy, I just launch an app on my iPhone, which shows me the current verification code for my Google Apps site.
Easy security which does its job, and is very easy to use.
But it doesn’t take care of you logging in, and never logging out
Just as my Google Apps account lets me generate application specific passwords, so I know exactly which apps are allowed to access my Google Apps account, Facebook could do the same with locations.
Very simply, you login to your home computer, and click “Add this location as my home computer”. So, on that computer, Facebook now knows not to bother you with two-factor, unless you explicitely enable it for these types of “secure locations”.
You get to work, and do the same. Both times you of course get asked to enter your current verification code, so the secure list can’t be manipulated, even if you forgot to logout.
Having done that, Facebook should now evaluate from where you access Facebook. If you do not access Facebook from one of these secure locations, it should always ask you to use your two-factor authentication to gain access, AND – equally important, force a logout after e.g. 5 minutes of inactivity (this may sound like a usability no no, but the threshold needs to be low, to be effective).
So now you have a secure way of logging in, and a mechanism which helps you logout in case you forget to.
All Facebook needs to do, is create an authentication app for your smartphone. Or create facebook branded two-factor tokens for you to buy (they don’t cost much). Incidentally, Facebook would end up flashing its logo everywhere someone carries one.
Free advertising for Facebook, better security for you and I.
Hell, even World of Warcraft fans have this option (if you want to do this via a smartphone app, go here). And that’s “just” a game.
Facebook is part of your online identity. I’d say “get to work Facebook” 
Oh, and if you want to know more about two factor authentication on your Google Apps site, you should read more here. Or send the link to your Google Apps administrator.
It doesn’t add much overhead for accessing your Google Apps site, but it does wonders for security.
