Skip to content
by
  • Products
  • Free Tools
  • Search
  • Free Sophos Home
XG Firewall
Next-Gen Firewall
Intercept X
Next-Gen Endpoint
  • Sophos Cloud Optix
  • Sophos Central
  • Sophos Mobile
  • Intercept X for Server
  • Secure Wi-Fi
  • Phish Threat
  • SafeGuard Encryption
  • Secure Email
  • SG UTM
  • Secure Web Gateway
For Home Users

Sophos Home protects every Mac and PC in your home

Learn More
Free Security Tools
Free Trials
Product Demos
Have you listened to our podcast? Listen now

Facebook introduces Trusted Contacts, makes you ask, “How much do I trust my friends?”

04 May 2013 12 Facebook

Post navigation

Previous: Lifting the lid on the Redkit exploit kit
Next: IBM takes a big new step in cryptography: practical homomorphic encryption
by Paul Ducklin

Losing access to your Facebook account is a big deal, especially if you use it to generate business as well as to keep up with your friends.

Getting control back over “lost” online accounts can be an even bigger deal.

It’s not as though you went into a branch of Facebook, or Google, or Microsoft, and established your identity in a reliable and repeatable way when you opened your account.

And there’s no-one at the branch you’ve never been to who would recognise you with certainty by your appearance, voice and mannerisms.

So you’re stuck with unreliable methods, such as knowing the answer to various “security” questions, or sending in a scanned copy of a driving licence.

Neither of those approaches to account recovery are appealing from a security point of view, or terribly convincing as identification.

But what if there were someone who could speak up for you to the Facebooks of the world, and that you would trust to speak up for you because you selected them for that job in the first place?

That’s the idea behind Facebook’s just-announced Trusted Contacts feature.

You choose three to five trusted contacts that can request account recovery codes on your behalf, but you need to have three codes at the same time to complete the recovery process.

→ To configure this feature, assuming it’s available in your region and language, login to Facebook and go to the “gear wheel” dropdown menu. Choose Account Settings, go to the Security tab and click on Trusted Contacts, then Choose Trusted Contacts.

This is bit like setting up a corporate bank account so that it requires multiple signatures, to prevent a rogue director operating alone.

As Facebook points out in its evangelism of this new service:

With trusted contacts, there's no need to worry about remembering the answer to your security question or filling out long web forms to prove who you are. You can recover your account with help from your friends.

Will it work?

I’ll give this approach a qualified “Yes.”

I like the fact that this effectively decentralises your identity (or, more correctly, your right to assume a specific identity) on Facebook, and lets you take control of it yourself.

There are risks, however.

As Facebook points out, you need to “choose people you trust, like friends you’d give a spare key to your house.”

But the company may be making a bit of a culutural leap there, because I’m not convinced that we yet treat access to other people’s online accounts with the same gravity as we do access to their property.

Nick Statt, a Readwriteweb journalist who was still at college when Facebook came onto the social scene, wrote about this very issue under the headline, “Can You Really Trust Your Friends?”

His concern over Trusted Contacts lies mainly in the fact that he, and his friends, seem to have spent their formative adult years in a milieu in which “If anyone left their account open on any computer that wasn’t their own that person’s Facebook account was fair game.”

And even if your friends don’t share what Nick Statt calls the “joy of Facebook hacking,” you have to be sure that your Trusted Contacts will heed Facebook’s own warning:

Your trusted contacts should make sure it's you before giving you security codes.

In theory, three out of the three-to-five chums you choose to be your Trusted Contacts would need to collude to rip your account off.

But in practice, one turncoat “friend” might very well be able to collect three codes for himself by applying social engineering to two of your other friends.

For example, he could ask the others to generate recovery codes and send them to what he says is your new email account, and tell them that you weren’t able to call everyone individually because you had to use a borrrowed phone.

Apple took a different approach when it introduced two-factor authentication recently, preferring instead to rely on a single recovery code so that only you can reset your password.

Apple reminds you to write down and keep somewhere safe – what you might do, in fact, with a spare key to your house.

That’s an approach I think I prefer, but I can see why Facebook didn’t want to rely on a single, long-lasting recovery code.

After all, the temptation to store the master password somewhere insecure (such as in an unencrypted file on your everyday computer) will just be too great for some users.

Worse still, if you lose that one-off master password, then you’ll lose access to your account forever.

And that, if you remember, is the very problem we were trying to avoid at the top of the article.

  • Follow @NakedSecurity on Twitter for the latest computer security news.

  • Follow @NakedSecurity on Instagram for exclusive pics, gifs, vids and LOLs!

Free tools

Sophos Firewall Home Edition

Boost your home network security.

Sophos Scan & Clean

Free second-opinion scanner for PCs.

Sophos Cloud Optix

Monitor 25 cloud assets for free.

Post navigation

Previous: Lifting the lid on the Redkit exploit kit
Next: IBM takes a big new step in cryptography: practical homomorphic encryption

12 comments on “Facebook introduces Trusted Contacts, makes you ask, “How much do I trust my friends?””

  1. Philip Le Riche says:
    May 4, 2013 at 12:25 pm

    I'd welcome this, though there are obvious pitfalls, as with any authentication method. We've long been stuck with "something you know" – and the problems with passwords are too numerous and well known to waste electrons on, "something you have" – but you haven't got it when you need it and fall back onto an insecure "security" question or else you "have" so many "things" for different accounts it's a pain, and "something you are" – but you can rarely get an accurate estimate of the false positive or false negative rates and you can never be sure that tomorrow, someone won't invent a clever method of spoofing it. The 4th factor – "someone you know" – is not new but is well worth exploring more than it has been. But clearly, just as we have rules for choosing good passwords, e.g. no dictionary words, we will need rules for choosing trusted friends. The obvious one, as you say, is people you'd trust your front door key to, or at least a third of your front door key. The next most obvious rule would be that they should be chosen from several different and largely non-overlapping groups of friends and who generally don't know each other, e.g. a trusted work colleague, a family member, and a long standing friend you know purely socially. I think I'd then go for it. It's still not immune to a clever and determined social engineering attack, but nothing is, and unless you're protecting the nation's nuclear secrets or the formula for Coke then you've half won the battle if you can simply make your account harder to crack than the next guy's. Anyway, I certainly don't greatly warm to Apple's "something else you know" and are going to hide so well that in 2 years time when you need it you've probably forgotten what you did with it!

    Reply
    • Paul Ducklin says:
      May 5, 2013 at 10:48 am

      You could always print out Apple's recovery code, cut the printout into N pieces and give one to each of N friends, with the number of characters in each piece reflecting the level of trust in each friend 🙂

      Then you have to remember who your friends were, of course. And to change all the codes if you decide to distrust any one of the friends…

      Reply
  2. Nigel says:
    May 4, 2013 at 6:26 pm

    "…I'm not convinced that we yet treat access to other people's online accounts with the same gravity as we do access to their property."

    Indeed. You're right to be unconvinced, because Facebook itself doesn't treat online accounts as though they were property. That's the reason I dumped my account. You think you've opted out of the most intrusive "features", and then later you find out that they've changed the rules and the way the features work yet again, without notification.

    Your privacy is your property, and you effectively surrender a great part of the control of that property to Facebook as the price of the "free" account they provide. The bottom line turns out to be, if you want to protect that property, don't hand it over to Facebook.

    Reply
  3. privatename says:
    May 4, 2013 at 6:56 pm

    Its a terrible idea. Now you are trusting not just other people to not access your account, but also not to give access to other people.

    Reply
    • John Hunter says:
      May 5, 2013 at 11:26 pm

      You have to remember that not everyone's friends are untrustworthy idiots. There's issue that no-one seems to have mentioned. That fact that if one or more of those friends closes or even loses control of their account, then you're knackered. If I were to do it, I would use family members. I have enough of them as Facebook friends and I also trust them more than any of my friends.

      Reply
      • Mrs. W says:
        May 6, 2013 at 5:43 pm

        If I were on Facebook (which I'm not), I'd give access to a handful of our good friends in the security industry, whom I'd trust to guard it with their lives and not get social-engineered.

        Oh wait. . .

        . . .just one hitch in my plans. . .

        none of them are on Facebook either. 😛

        Reply
  4. John says:
    May 4, 2013 at 6:58 pm

    I'm not sure this will work well if the Facebook account is taken over by someone else since all they have to do is march over to your trusted friends list and clear it out.

    Reply
  5. Nathan says:
    May 6, 2013 at 3:40 pm

    I prefer the "security code" method. I'm sure 99% of people who use Facebook have a phone. A simple text message with an authorization code should be enough. Heck, make it even *more* secure by requiring the three codes from the "trusted contacts" AND this authorization code that can only be generated by the account's owner (like say, a registered phone number on the account).

    Let's face it: security has its advantages and disadvantages. Implementing something like this involves handing over personal information like a phone number, but a majority of users already have that information anyway.

    I'd much rather see a public key challenge 🙂 but that's just the geek in me. Facebook generates a keypair and you download the private key to store someplace safe (like you would a key!). Having a bunch of options to choose from would appease more users.

    Reply
  6. Mēhãk Jãñ says:
    June 15, 2015 at 9:46 am

    Your trusted contacts should make sure
    it’s you before giving you security codes.

    Reply
  7. ijaz says:
    July 8, 2015 at 12:21 pm

    I hav only two trusted friends on fb how can i use rhem to recover my email

    Reply
  8. Keisha Griffin says:
    September 4, 2017 at 4:48 pm

    I have 3 trusted friends and the codes don’t work need to change my friends how do I do that I want to get back to my family and friends

    Reply
  9. Bryan says:
    November 16, 2019 at 5:45 am

    My daughter can’t log in (locked out from putting the wrong pass in too many times). Using “trusted contacts” is the ONLY option facebook gives her.

    Facebook picked 5 contacts. 2 of them don’t use facebook and don’t know their passwords and another one gets this message “Please tell your friend that you are not one of the trusted contacts they set for their account.” So only 2 of the contacts can help her, but facebook want’s 3! What kind of crap is this?

    There are no other options, so she’s screwed.

    Why can’t the email verification be enough?? Her email wasn’t hacked! Neither was her facebook account……

    Reply

What do you think? Cancel reply

Recommended reads

Mar24
by Paul Ducklin
1

WooCommerce Payments plugin for WordPress has an admin-level hole – patch now!

Apr24
by Paul Ducklin
25

Double zero-day in Chrome and Edge – check your versions now!

Apr30
by Paul Ducklin
9

Mac malware-for-hire steals passwords and cryptocoins, sends “crime logs” via Telegram

  • About Naked Security
  • About Sophos
  • Send us a tip
  • Cookies
  • Privacy
  • Legal
  • Intercept X
  • Intercept X for Server
  • Intercept X for Mobile
  • XG Firewall
  • Sophos Email
  • Sophos Wireless
  • Managed Threat Response
  • Cloud Optix
  • Phish Threat
© 1997 - 2023 Sophos Ltd. All rights reserved. Powered by WordPress VIP