Yesterday, Facebook announced some new measures intended to improve account security. You can now turn on SSL, and you can be notified when a previously unseen device accesses your account, and these are good first steps.
But this “social authentication” idea confuses me. The above image is supposedly an example of a social authentication challenge. You’re given three photos in which one of your friends is tagged and six names to choose from. Pick the right name, and you’re authenticated.
Now suppose I’m a hacker trying to break into your account, and I’m presented with this challenge. How hard would it be to look up those six people in your (public by default) friend list, and use their (required to be public) profile pictures to solve the puzzle? Actually I just did it, and the answer is Alok Menghrajani.
Clearly, then, all this approach is good for is telling humans apart from machines. Like a traditional captcha but more fun, right? But that’s not how Facebook is presenting it. Note that the following was written by a security engineer:
Traditional captchas have a number of limitations including being (at times) incredibly hard to decipher and, since they are only meant to defend against attacks by computers, vulnerable to human hackers. Instead of showing you a traditional captcha on Facebook, one of the ways we may help verify your identity is through social authentication.
(My emphasis.) Captchas don’t verify identity. “Social authentication” challenges based on public information — especially information that the service itself provides, for free, to anyone who asks — don’t do that either.
We will show you a few pictures of your friends and ask you to name the person in those photos. Hackers halfway across the world might know your password, but they don’t know who your friends are.
Right, hackers don’t know who your friends are. Unless Facebook tells them who your friends are, like for example by making the social graph public.
Someone once said something smart about not mistaking stupidity for malice. But if Facebook’s engineers actually believe this idea will protect anyone’s identity, then their understanding of their own product is shockingly, unimaginably poor.