You might like

8 Responses to Facebook introduces Trusted Contacts, makes you ask, "How much do I trust my friends?"

  1. Philip Le Riche · 500 days ago

    I'd welcome this, though there are obvious pitfalls, as with any authentication method. We've long been stuck with "something you know" - and the problems with passwords are too numerous and well known to waste electrons on, "something you have" - but you haven't got it when you need it and fall back onto an insecure "security" question or else you "have" so many "things" for different accounts it's a pain, and "something you are" - but you can rarely get an accurate estimate of the false positive or false negative rates and you can never be sure that tomorrow, someone won't invent a clever method of spoofing it. The 4th factor - "someone you know" - is not new but is well worth exploring more than it has been. But clearly, just as we have rules for choosing good passwords, e.g. no dictionary words, we will need rules for choosing trusted friends. The obvious one, as you say, is people you'd trust your front door key to, or at least a third of your front door key. The next most obvious rule would be that they should be chosen from several different and largely non-overlapping groups of friends and who generally don't know each other, e.g. a trusted work colleague, a family member, and a long standing friend you know purely socially. I think I'd then go for it. It's still not immune to a clever and determined social engineering attack, but nothing is, and unless you're protecting the nation's nuclear secrets or the formula for Coke then you've half won the battle if you can simply make your account harder to crack than the next guy's. Anyway, I certainly don't greatly warm to Apple's "something else you know" and are going to hide so well that in 2 years time when you need it you've probably forgotten what you did with it!

    • Paul Ducklin · 499 days ago

      You could always print out Apple's recovery code, cut the printout into N pieces and give one to each of N friends, with the number of characters in each piece reflecting the level of trust in each friend :-)

      Then you have to remember who your friends were, of course. And to change all the codes if you decide to distrust any one of the friends...

  2. Nigel · 500 days ago

    "...I'm not convinced that we yet treat access to other people's online accounts with the same gravity as we do access to their property."

    Indeed. You're right to be unconvinced, because Facebook itself doesn't treat online accounts as though they were property. That's the reason I dumped my account. You think you've opted out of the most intrusive "features", and then later you find out that they've changed the rules and the way the features work yet again, without notification.

    Your privacy is your property, and you effectively surrender a great part of the control of that property to Facebook as the price of the "free" account they provide. The bottom line turns out to be, if you want to protect that property, don't hand it over to Facebook.

  3. privatename · 500 days ago

    Its a terrible idea. Now you are trusting not just other people to not access your account, but also not to give access to other people.

    • You have to remember that not everyone's friends are untrustworthy idiots. There's issue that no-one seems to have mentioned. That fact that if one or more of those friends closes or even loses control of their account, then you're knackered. If I were to do it, I would use family members. I have enough of them as Facebook friends and I also trust them more than any of my friends.

      • Mrs. W · 498 days ago

        If I were on Facebook (which I'm not), I'd give access to a handful of our good friends in the security industry, whom I'd trust to guard it with their lives and not get social-engineered.

        Oh wait. . .

        . . .just one hitch in my plans. . .

        none of them are on Facebook either. :P

  4. John · 500 days ago

    I'm not sure this will work well if the Facebook account is taken over by someone else since all they have to do is march over to your trusted friends list and clear it out.

  5. Nathan · 498 days ago

    I prefer the "security code" method. I'm sure 99% of people who use Facebook have a phone. A simple text message with an authorization code should be enough. Heck, make it even *more* secure by requiring the three codes from the "trusted contacts" AND this authorization code that can only be generated by the account's owner (like say, a registered phone number on the account).

    Let's face it: security has its advantages and disadvantages. Implementing something like this involves handing over personal information like a phone number, but a majority of users already have that information anyway.

    I'd much rather see a public key challenge :) but that's just the geek in me. Facebook generates a keypair and you download the private key to store someplace safe (like you would a key!). Having a bunch of options to choose from would appease more users.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog