Facebook’s new social verification process prevents the sort of collusion that some security researchers had found via hypothetical means.
Last week, researchers at the University of Illinois said they were able to use collusion to gain access to their friend’s Facebook account. The exploit involved use of a new verification system launched by Facebook to help more users of the site recover their passwords.
However, we’ve since learned that this hack won’t work, and apparently was a strictly hypothetical scenario.
Facebook’s security team has explained to us that sufficient protections are in place that should theoretically keep users secure, despite the fact that the researchers were once able to break the system.
How Social Verification Works
Social verification provides a last resort for those users who have lost their password. The way it works: A user needs to select three friends who will each receive a verification code. The user then calls each of those friends to receive the code.
Facebook says that this system is collusion-proof, contradicting what the security researchers at U of I had claimed. A number of protections are included:
- Users receive alerts via email whenever their account begins the social verification process, and the account is also placed into lockdown for at least 24 hours.
- Once a user completes the social verification process, the user who owns the account can still override the process if they were not the person who completed verification (and instead a hacker was performing the act).
- As a user selects friends to have their verification codes sent to, closely connected friends are pulled from the list of options. In other words, there are some anti-collusion mechanisms built into the system.
- If the user does not have a sufficiently disperse friend network, the individual will not be given the opportunity to complete the social verification process as a means for retrieving the password.
Facebook also stressed that a third-party security team has verified that this system is indeed safe. Unfortunately, we have not been able to put Facebook’s system to rigorous testing. However, the social network seems pretty adamant that this is extremely secure and that the additional protections built in to the system should be sufficient enough to provide protection to the user.
If this system weren’t completely secure, Facebook risks running into issues as more users take advantage of the company’s Credits program. While there are certain fail-safes in place, a compromised account for any period of time should be completely unacceptable.
Facebook clearly is standing strong behind this new password recovery system. We’ll have to wait and see if any other parties find flaws in it.
What do you think about this aspect of security at Facebook?