Any opinions expressed here are my own and not necessarily those of my employer (I'm self-employed).

Jan 27, 2011

Why Facebook's social authentication fails

Just a comment on the latest blog post on security by one of the Facebook engineers.

First, it's a good thing that Facebook finally offers its users the most fundamental of all security measures, a secure connection to their website. Still I would have expected them to move faster, especially after the Firesheep controversies back in October.

Then to the most controversial change — the social authentication — which raises a few questions about both the security it is supposed to add and the possible effects on Facebook users' privacy.

The security failure
Consider some malicious Trojan-writer on the other side of the earth, trying to log into your Facebook account with your newly stolen password. Matching the pictures and the names presented in the social authentication should constitute a real challenge. It doesn't! Launching a google search for the suggested names, narrowed down to the Facebook site will reveal..... You guessed it! A picture of the person!
Social authentication illustrated

If you look at the pictures and names used as an example in the Facebook blog, you'll see that you could probably narrow down the candidates to two names pretty quick. A google search will likely reveal which one is correct, just click on the link. I place my bets on Alok.
You'll find the public profile in Google for everyone who has enabled "Public search" in their Facebook privacy settings. For the record, there's also a privacy bug I recently blogged about that makes matters worse — anyone who has commented on or liked a public page can also be found in Google.

That was the scenario of the "hacker on the other side of the planet" attempting to log in to your account. The other scenario is that someone close to you — familiy or friends — attempts to steal your profile. They can also google. In addition they probably know who most of your friends and colleagues are, and what they look like. So, in my opinion there's not much security added by the social authentication scheme.

The privacy failure
Many Facebook users set the visibility of their profile, pictures, and so on to "Friends of Friends" or even tighter with "Friends only". The assumption here is that the people you have narrowed this down to have to log in to Facebook to see your pictures. This gives you some assurance that your content is not made available to strangers. At the first glance, the social authentication is aligned just fine with the privacy settings used by most Facebook users. But if you start thinking about it, you'll realize that there are subtle problems.

When Facebook finds it questionable whether one of your friends is actually signing in herself, they might show a picture of you to be coupled with your name, in order to achieve some extra assurance that everything's in order. In other words: If Facebook is unsure whether it's your friend logging in or a complete stranger who knows your friends password, the'll show a photo of you just to make sure. You didn't intend Facebook to show your photos to strangers, did you. Well, they do — because they're afraid it's a stranger.

To make matters worse, it seems that Facebook selects a random photo you've been tagged in, either by yourself or by other users. One of my colleagues brought this to my attention, as he was confronted with the new social authentication procedure. One of his friends was shown in a picture, taken from a night on the town when the hour was getting late. Nuff said. Maybe not the picture you'd want to show to people when they log in. I won't post the screenshot here for obvious reasons.

Finally, a brief speculation. There's probably a good chance that someone can tag you in a photo, and it'll be used for social authentication irrespective of whether you've seen the photo or not. Speculation ended.

So to summarize, I don't believe that the social authentication adds much (any) security to your Facebook account. On the contrary, it introduces yet another privacy issue for Facebook users.

If you want better security, you should have a look at the one time passwords instead, they were a much better addition. That's what Facebook should use instead of social authentication when they're unsure if it's the correct user they're signing in.


  1. Involved in education? Struggling with the legal aspects? Want some help? Find out more about Education Law, and what you need to know.http://www.thesisexample.info/

  2. Maybe you should check out this article for some information about phone spy apps and phone tracking apps. It could be very interesting

  3. Thanks for sharing amazing information !!!!!!
    Please keep up sharing.

  4. You did really good work. I really appreciate your new and different post. Please guys keep it up and share with us some unique post in the futureMenmyshopCar StereoDouble Din Android PlayerHyepersonic Double Din PlayerHyundai Creta Double Din Player
    CBSE open schoolcbse privatebanzaraonjourneyAdj online

  5. Are you struggling for a better future for your kids? Read this article and you will know what to do!

  6. You can leave all the stressful work to us so that we handle it for you and assure you of delivering excellent online Affordable Writing Services to you all the time in our research papers 247 company.

  7. Although the shipping company relocates from Jeddah to Syria depends on a large number of packaging materials that the company can pack the luggage and can through it move them from one place to another with the highest potential that they can packaging the luggage properly until it is transported
    شركة نقل عفش

  8. There are academic nursing writing help companies whose ultimate goal is to provide Help with Nursing Writing Services since they are aware most nursing essay writing service part-time students lack enough time to complete their college custom nursing assignments.

  9. Accounting paper writing services are essential and they have become very popular for those seeking accounting coursework writing services since most of them seek Accounting Writing Services.

  10. With the use of Affordable Writing Services Online Students can get help for their Assignments. Always go for the Best Essay Writing Services from the company that offers Academic Essay Writing Services At the lowest cost.

  11. Welcome White guilty pleas to these offences, which have spared the victims the ordeal of a trial. We are pleased to see White appropriately sentenced by the courts for what are very serious offences. A source said White is currently inside a male prison and that is where he will serve his sentence..

    There was fantasy in full MK Outlet Online colour Coach Outlet Online provided by the Government's Best Yeezys pronouncements on everything from the Punjab problem to war threats from Pakistan and. Finally, no posture could have been more film like than that adopted by the fire breathing fanatic, . Rama Rao.

    He says a gentleman came into his shop on February 9th wanting to sell a piece of jewelry he stumbled upon while walking on the Cheap Michael Kors Handbags dried up bed of White River Lake. "The lake was down Ray Ban Outlet about 30 feet from the Coach Outlet Clearance Sale droughts," Oakley said. "He was walking near the water's Jordan Shoes For Sale edge when he saw this Nike Air Force 1 Cheap Outlet black glob..

  12. This information is really awesome thanks for sharing most valuable information.
    Data Science
    ETL Testing
    Python Online Classes

  13. Wow!! You did really good work. I really appreciate your new and different post. Please guys keep it up and share with us some unique post in the future!!
    Buy gmail pva accounts


Copyright notice

© André N. Klingsheim and www.dotnetnoob.com, 2009-2018. Unauthorized use and/or duplication of this material without express and written permission from this blog’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to André N. Klingsheim and www.dotnetnoob.com with appropriate and specific direction to the original content.

Read other popular posts