So, Facebook has introduced what they term two-factor authentication to the social networking site! I read a response from someone working for a large security company who said the company (I clicked on their handle and it linked me to Symantec) “commends Facebook for broadening security options. . .” . To me, this is similar to the “validate the market” type of positioning that I mentioned in my last post – a little too easy – although admittedly this person added that the next step should be for web users to take security more seriously.
But for a consumer-centric site like Facebook, is this a realistic expectation? And if not, what should organizations like Facebook be doing to protect their user base.
Now I’ll admit this post may be a little one-sided: my premise here is that if an organization is relying on education of consumers to protect their users, they’ve got a long wait. And this should influence how organizations implement security on large consumer-oriented sites.
Let’s start with an understanding of what Facebook (FB) is calling “two factor authentication”. Users will be given a choice – much as they were when the site started offering secure web browsing earlier this year (providing the option of enabling HTTPS) – by selecting to have a PIN sent out-of-band to a mobile phone every time they log in to FB from a different device. So they have their user ID, they have their password, and they have an out-of-band PIN –when they login from a different device. I particularly liked this description from a writer at geek.com:
“. . . the arrival of two-factor authentication. . . brings a 007-style security element to your Facebook login . . . the code will likely be delivered to your smartphone via the Facebook app or traditional cell phones as an SMS message, and will make your account virtually impossible to hack.”
You gotta love that sound-bite, eh? “007-style security. . . virtually impossible to hack”!
To a security geek there are numerous holes with the approach being taken by Facebook. Let’s ignore the most obvious fact that 25% of Facebook users today login from their mobile device – and likely enable automatic login from that device. So if you lose your phone and login from another computer, sending an OTP to the phone doesn’t make much sense. Not to mention the numerous attacks that target mobile phones these days.
But my premise isn’t about the security being added here; it’s that most FB users, regardless of whether they understand the risks, are going to do little to protect themselves– and this should drive how Facebook – and other consumer focused sites, implement security.
I thought this recent article (see: Demystifying Usability) painted an interesting portrait of what a site like Facebook is up against:
“A study in the journal, Cyberpsychology, Behavior and Social Networking, finds women who base their self worth on their appearance, tend to share more photos online and maintain larger networks on online social networking sites. Researchers say the results reveal women identify more strongly with their image and appearance, and use Facebook as a platform to compete for attention. . . Facebook is a forum where most users seek to showcase the best of themselves. For many, that means photos of you looking great, or in glamorous situations (think on vacation, or posing with many people at a party).”
Why is this important? Because it’s about the willingness of people who use these sites to share private information – again, regardless of the risk. And that private information is ideal for conducting fraud – starting with attacks like spear phishing.
It’s not that Facebook users don’t care about privacy. Frank Spillers, a recognized expert in web and software usability (recognized as such by the U.S. Department of Labor), points to numerous studies over the past few years “that have shown that privacy ranks as a top concern, and in ecommerce *the* top concern with online shopping.”
I suspect it’s the same with security. People are concerned with privacy – and that protecting privacy should be directly linked to security. It’s just that they’re not inclined to do much about it themselves. If organizations like Facebook are sincere about protecting their user’s – and their user’s privacy – they need to be proactive when implementing security. It needs to be on by default – and for consumers, it needs to be as transparent as possible.
For many consumer applications, online banking as an example, an out-of-band PIN to a mobile device is an excellent approach for stronger authentication – so long as the target base of users is inclined to adopt it; but where it’s not, organizations need to look for solutions that minimize disruption in the user’s typical behavior.
Because it’s not just women! When I look particularly good in a photo – when I’m seen having fun at an exclusive, celebrity-heavy private party, surrounded by a lot of very cool people – when someone snaps a shot of me in a bar in San Francisco chatting one-on-one with Jude Law – there is absolutely no amount of education that is going to prevent me from sharing this stuff online with my Facebook friends!