Facebook announced it’s implementing new security tools (and procedures) intended to prevent unauthorized login to an account. It seems as if they are going to be using “shared secrets” to verify the person behind suspicious activity.
When we see that someone is trying to access your account from an unusual device, we’ll ask the person to answer an additional verification question to prove his or her identity as the real account owner,” Popov wrote.
That might include asking you to provide your date of birth, identify a photo of a Facebook friend, or ask a previously supplied security question.
Popov said this process won’t happen often, only “on the rare occasion that we notice something different.
I’m pleased Facebook is taking steps in the right direction, but I can’t help but remind them of the dangers involved using static knowledge based authentication (i.e. shared secret questions) instead of a dynamic knowledge based authentication (KBA) solution. Remember Sarah Palin’s Yahoo account breach? The hacker was able to access her account because he could easily guess the answers to her secret questions.
The next step for Facebook in their embrace of identity authentication tools is to evolve their strategy and use a dynamic KBA solution. This takes away the danger of someone correctly “guessing” answers, and reduces the risk of a data breach since they wouldn’t have to maintain a database for 400 million members’ secret questions and answers.
IDology has long blogged on the topic of shared secrets and dynamic KBA. Some related posts are: