Facebook cut down large-scale phishing with social authentication

Facebook, with its 845+ million users and some 1.1 billion daily login attempts, works on improving its authentication process all the time as many of these login attempts are from phishers or brute-forcers.

At the CanSecWest conference that is currently underway in Canada, Alex Rice, Facebook’s product security lead, explained the relatively recent improvements to the process with the adding of social authentication methods.

One of these methods consist of making users who have failed to authenticate a determined number of times identify their friends in a series of photos. According to Rice, even though a user gets some answers wrong, he or she can still be authenticated.

ThreatPost reports that he actually admitted that Facebook is lying when it says that one has to give all correct answers to access one’s account.

“You can get several of these answers wrong and pass. The reason being, we find that when we tell people that, they fly through it,” he shared. “But when we lie to you, you spend more time thinking about it. It’s one of the few places where we flat-out lie to people.”

And even though the method does have its drawbacks (it can show pictures with no individuals on it) and can effectively undermine the users’ privacy by showing to the attacker the faces of his friends and share the circumstances in which the picture was taken, the positives obviously surpass the negative aspects.

The same can also be said about Facebook’s options of letting three friends vouch for the user in case he gets locked out of his own account, and thus regain the access.

These solutions may be imperfect, but they (and others) managed to effectively cut down large-scale phishing campaigns – something that used to be a big problem for the social network only a year and a half ago.

In any case, Reid says that traditional two-factor authentication is not a good fit for a network of this size.

“We can’t use tokens, because there’s too many headaches. Even if we could pass the cost off to the users, getting the tokens to even a small percentage of our users would be difficult,” he pointed out.

For more insight into Facebook security, check out our interview the Facebook’s CTO Joe Sullivan.

Don't miss