Time to Secure Facebook (Yes AGAIN)!

Filed under: Cloud | Tags: , , |

With the recent concern over Facebook privacy (if that isn’t an evergreen topic I don’t know what is) specifically the Firesheep plugin for the Firefox browser. If you are not familiar with it, Firesheep is a dead simple plugin that lets people see and capture the password for other Facebook users on the same network.

If you ever use an open wifi — say at your local Starbucks — and checked your Facebook page, someone else in the cafe might also have not only gotten full access to your Facebook page on that day, but also now been able to log on to your Facebook page ANY TIME THEY WANT.

Feel free to re-read that and let it sink in.

Fortunately, Facebook has implemented some new security options to fix this problem. So, it’s time to review and tighten up your Facebook security. Yes, again!

There are two things you need to do RIGHT NOW:

  1. Configure Facebook to connect via https by default.
  2. Add 2nd factor authentication to Facebook

Whoa, whoa, whoa? Two factor what?!?

Two factor authentication simply means that you are using something other then your password to “authenticate” yourself to Facebook. This does not mean a second password. Multi-factor authentication means something different from a password. Types of authentication include:

  • Something you know: like a password.
  • Something you have: like your cell phone.
  • Something about who you are: fingerprint.

If you want more than complete discussion of multi-factor authentication, check out Steve Gibson’s discussion (pdf link).

Most services authenticate you via a password (something you know). However, a password can be stollen (Firesheep, looking over your shoulder, etc) and there goes your security. Adding a second factor of authentication makes you more secure.

What Facebook has done is it now allows you to authorize each machine that accesses your Facebook account. Whenever you logon to Facebook on a “new” device, Facebook pops up a window asking for a code which is sent to your cell phone (something you have). While someone may have stolen you login credentials or even your computer, unless they also have your cell phone, your Facebook account is safe(r).

Ok, let’s DO IT!

1) Select Account Settings from the “Account” drop down menu

2) Expand the “Account Security” section and check off the following checkboxes a) secure browsing – this has facebook connect via https when possible. b) login notification – this send you either an email or an SMS when an unrecognized device tries to log on. c) Login Approval – This sends an pass code to your phone (you provide your telephone number).

3. The next time you log in to Facebook, you will get the following screen asking you for a pass code (which is sent to your mobile phone — “something you have” — via SMS)

And, YES, this does work with Facebook on mobile devices, like your iPad, as well.

There you go! You are now connecting safer (via https) AND you can authenticate each system that access Facebook.

Keep in mind that once a machine is authenticated, it stays authenticated — until you remove that machine. Well,that is how it is supposed to work. In practice, I have had to re-authenticate my MacBook multiple times as I move it between work and home. But, authenticating just about every time I change networks is just extra security, right?

In case you ever have to de-authorize your computer, just below “Account Security” setting is the option to do so.

Creative Commons License top photo credit: außerirdische sind gesund