VANCOUVER–Authentication is one of the thornier problems in security and it’s one that’s never been solved to any real degree, despite decades of research, technological advances and trial and error. For companies such as Facebook that have to deal with authentication on a massive scale, the problem is even more difficult. Facebook is trying a number of different “social” authentication methods right now, and while some are innovative, they all come with serious drawbacks and weaknesses.
The company at the center of the social media boom–and not a few privacy and security tussles–has more users than many small countries have citizens and one of the issues that presents is a tremendous number of login attempts each day. Facebook sees approximately 1.1 billion login attempts on a daily basis, and some percentage of those obviously are attacks or phishing attempts. What the company has done to try and defeat the large-scale phishing campaigns that have plagued it for years now is to begin using a variety of secondary challenge systems to determine whether a user who has failed the first authentication attempt is the actual user.
“We need to put friction in front of the users, but it can have a detrimental effect. The notion of suspicious logins isn’t set in stone. It changes,” Alex Rice, who leads the product security and privacy team at Facebook, said in a talk at the CanSecWest conference here Wednesday. “False positives in this type of classification aren’t only expected, they’re very, very common.”
One of the things Facebook is trying is a system that asks users to positively identify friends in a series of photos. The user is told that in order to pass the challenge, she can’t get any of the photo-based questions wrong. However, that’s not actually true.
“That’s a dirty lie,” Rice said. “You can get several of these answers wrong and pass. The reason being, we find that when we tell people that, they fly through it. But when lie to you, you spend more time thinking about it. It’s one of the few places where we flat-out lie to people.”
That method has some problems, though, not the least of which is the process of choosing photos for the challenge. That’s done through automation, and the system will sometimes show users a photo that doesn’t include an identifiable face. And the system also raises some privacy issues around the photos. If an attacker is trying to login to a victim’s account and faces that challenge, he may see several photos that could give him more information about his target.
Facebook also has a system in place that allows three of a user’s friends to vouch for her if she can’t access her account and has forgotten her password. None of these systems is ideal, but Rice said that many of the traditional alternatives, such as two-factor authentication, are out of reach for the company.
“We can’t use tokens, because there’s too many headaches. Even if we could pass the cost off to the users, getting the tokens to even a small percentage of our users would be difficult,” he said.
What Facebook is trying to accomplish with these systems is not defeating every attack, but making large-scale phishing campaigns impractical on the site.
“It essentially got us to the point where we could solve large-scale phishing,” he said. “And a year and a half ago, that absolutely is not something we could have said. Phishing was one of the biggest problems on the site.”