Facebook is currently testing two new security features which they hope will add additional protection to its 800+ million community. Back on October 26th, Facebook announced the “trusted friends” feature to help users regain control of account and application passwords to prevent malicious third-party apps from accessing a users’ Facebook account data.
The “trusted friends” feature is designed for Facebook account logins. So, when a user is unable to log in to their account, Facebook will now be able to send the unlock code to a designated “trusted friend”. It is the responsibility of the “trusted friend” to forward the code to the locked out user (you). My primary concern here is, your designated friends now have the spare key to your account, which means if an attacker has compromised your Facebook account, the attacker would look to change the “trusted friends” setting – this would be my first port of call as an attacker.
App Passwords however, provides a higher level of password login protection for Facebook third-party apps. Many websites and apps now allow for single sign-on using your Facebook username and password, which if those sites/apps are compromised leaves your Facebook account vulnerable to an attacker. So, Facebook has developed Apps Passwords which will generate a unique one-time password that can be used the first time you authorize the app, as opposed to using your existing credentials.
The major problem with App Password is the lack of clarity. Privacy aware Facebook users will no doubt use this feature, but I’m guessing most of the community will not; don’t know about it or understand what it does; or will be unable to find it. When the new security features are live, I will post some screenshots on here and explain in more detail.
Safe surfing folks!