Sophos Cloud Optix
Losing access to your Facebook account is a big deal, especially if you use it to generate business as well as to keep up with your friends.
Getting control back over “lost” online accounts can be an even bigger deal.
It’s not as though you went into a branch of Facebook, or Google, or Microsoft, and established your identity in a reliable and repeatable way when you opened your account.
And there’s no-one at the branch you’ve never been to who would recognise you with certainty by your appearance, voice and mannerisms.
So you’re stuck with unreliable methods, such as knowing the answer to various “security” questions, or sending in a scanned copy of a driving licence.
Neither of those approaches to account recovery are appealing from a security point of view, or terribly convincing as identification.
But what if there were someone who could speak up for you to the Facebooks of the world, and that you would trust to speak up for you because you selected them for that job in the first place?
That’s the idea behind Facebook’s just-announced Trusted Contacts feature.
You choose three to five trusted contacts that can request account recovery codes on your behalf, but you need to have three codes at the same time to complete the recovery process.
→ To configure this feature, assuming it’s available in your region and language, login to Facebook and go to the “gear wheel” dropdown menu. Choose Account Settings, go to the Security tab and click on Trusted Contacts, then Choose Trusted Contacts.
This is bit like setting up a corporate bank account so that it requires multiple signatures, to prevent a rogue director operating alone.
As Facebook points out in its evangelism of this new service:
With trusted contacts, there's no need to worry about remembering the answer to your security question or filling out long web forms to prove who you are. You can recover your account with help from your friends.
Will it work?
I’ll give this approach a qualified “Yes.”
I like the fact that this effectively decentralises your identity (or, more correctly, your right to assume a specific identity) on Facebook, and lets you take control of it yourself.
There are risks, however.
As Facebook points out, you need to “choose people you trust, like friends you’d give a spare key to your house.”
But the company may be making a bit of a culutural leap there, because I’m not convinced that we yet treat access to other people’s online accounts with the same gravity as we do access to their property.
Nick Statt, a Readwriteweb journalist who was still at college when Facebook came onto the social scene, wrote about this very issue under the headline, “Can You Really Trust Your Friends?”
His concern over Trusted Contacts lies mainly in the fact that he, and his friends, seem to have spent their formative adult years in a milieu in which “If anyone left their account open on any computer that wasn’t their own that person’s Facebook account was fair game.”
And even if your friends don’t share what Nick Statt calls the “joy of Facebook hacking,” you have to be sure that your Trusted Contacts will heed Facebook’s own warning:
Your trusted contacts should make sure it's you before giving you security codes.
In theory, three out of the three-to-five chums you choose to be your Trusted Contacts would need to collude to rip your account off.
But in practice, one turncoat “friend” might very well be able to collect three codes for himself by applying social engineering to two of your other friends.
For example, he could ask the others to generate recovery codes and send them to what he says is your new email account, and tell them that you weren’t able to call everyone individually because you had to use a borrrowed phone.
Apple took a different approach when it introduced two-factor authentication recently, preferring instead to rely on a single recovery code so that only you can reset your password.
Apple reminds you to write down and keep somewhere safe – what you might do, in fact, with a spare key to your house.
That’s an approach I think I prefer, but I can see why Facebook didn’t want to rely on a single, long-lasting recovery code.
After all, the temptation to store the master password somewhere insecure (such as in an unencrypted file on your everyday computer) will just be too great for some users.
Worse still, if you lose that one-off master password, then you’ll lose access to your account forever.
And that, if you remember, is the very problem we were trying to avoid at the top of the article.
I'd welcome this, though there are obvious pitfalls, as with any authentication method. We've long been stuck with "something you know" – and the problems with passwords are too numerous and well known to waste electrons on, "something you have" – but you haven't got it when you need it and fall back onto an insecure "security" question or else you "have" so many "things" for different accounts it's a pain, and "something you are" – but you can rarely get an accurate estimate of the false positive or false negative rates and you can never be sure that tomorrow, someone won't invent a clever method of spoofing it. The 4th factor – "someone you know" – is not new but is well worth exploring more than it has been. But clearly, just as we have rules for choosing good passwords, e.g. no dictionary words, we will need rules for choosing trusted friends. The obvious one, as you say, is people you'd trust your front door key to, or at least a third of your front door key. The next most obvious rule would be that they should be chosen from several different and largely non-overlapping groups of friends and who generally don't know each other, e.g. a trusted work colleague, a family member, and a long standing friend you know purely socially. I think I'd then go for it. It's still not immune to a clever and determined social engineering attack, but nothing is, and unless you're protecting the nation's nuclear secrets or the formula for Coke then you've half won the battle if you can simply make your account harder to crack than the next guy's. Anyway, I certainly don't greatly warm to Apple's "something else you know" and are going to hide so well that in 2 years time when you need it you've probably forgotten what you did with it!
You could always print out Apple's recovery code, cut the printout into N pieces and give one to each of N friends, with the number of characters in each piece reflecting the level of trust in each friend 🙂
Then you have to remember who your friends were, of course. And to change all the codes if you decide to distrust any one of the friends…
"…I'm not convinced that we yet treat access to other people's online accounts with the same gravity as we do access to their property."
Indeed. You're right to be unconvinced, because Facebook itself doesn't treat online accounts as though they were property. That's the reason I dumped my account. You think you've opted out of the most intrusive "features", and then later you find out that they've changed the rules and the way the features work yet again, without notification.
Your privacy is your property, and you effectively surrender a great part of the control of that property to Facebook as the price of the "free" account they provide. The bottom line turns out to be, if you want to protect that property, don't hand it over to Facebook.
Its a terrible idea. Now you are trusting not just other people to not access your account, but also not to give access to other people.
You have to remember that not everyone's friends are untrustworthy idiots. There's issue that no-one seems to have mentioned. That fact that if one or more of those friends closes or even loses control of their account, then you're knackered. If I were to do it, I would use family members. I have enough of them as Facebook friends and I also trust them more than any of my friends.
If I were on Facebook (which I'm not), I'd give access to a handful of our good friends in the security industry, whom I'd trust to guard it with their lives and not get social-engineered.
Oh wait. . .
. . .just one hitch in my plans. . .
none of them are on Facebook either. 😛
I'm not sure this will work well if the Facebook account is taken over by someone else since all they have to do is march over to your trusted friends list and clear it out.
I prefer the "security code" method. I'm sure 99% of people who use Facebook have a phone. A simple text message with an authorization code should be enough. Heck, make it even *more* secure by requiring the three codes from the "trusted contacts" AND this authorization code that can only be generated by the account's owner (like say, a registered phone number on the account).
Let's face it: security has its advantages and disadvantages. Implementing something like this involves handing over personal information like a phone number, but a majority of users already have that information anyway.
I'd much rather see a public key challenge 🙂 but that's just the geek in me. Facebook generates a keypair and you download the private key to store someplace safe (like you would a key!). Having a bunch of options to choose from would appease more users.
Your trusted contacts should make sure
it’s you before giving you security codes.
I hav only two trusted friends on fb how can i use rhem to recover my email
I have 3 trusted friends and the codes don’t work need to change my friends how do I do that I want to get back to my family and friends
My daughter can’t log in (locked out from putting the wrong pass in too many times). Using “trusted contacts” is the ONLY option facebook gives her.
Facebook picked 5 contacts. 2 of them don’t use facebook and don’t know their passwords and another one gets this message “Please tell your friend that you are not one of the trusted contacts they set for their account.” So only 2 of the contacts can help her, but facebook want’s 3! What kind of crap is this?
There are no other options, so she’s screwed.
Why can’t the email verification be enough?? Her email wasn’t hacked! Neither was her facebook account……