Categories
facebook security social media

Facebook Security: Use Login Notifications to Watch for Unauthorized Access

Sometimes you just need to borrow a computer to check Facebook. You may be in the school library or the computer lab. You may be at a friend’s house and want to show them a video or a post on Facebook. But can you trust the computer you are using? Does it have malware or a key stroke logger that can capture your username and password? How would you know? You may decide that the likelihood of this happening is pretty low. But what if you guessed wrong and some bad people have your account details. How would you know?

If an attacker were able to get your Facebook account details, they may want to use your account in ways that wouldn’t expect. They may merely want your account to spread commercial messages (spam) to your Facebook Friends. They may have more malicious purposes and try to get your Friends to try out a malicious Facebook App. Since they have access to your account, they are pretending to be you. Your Facebook Friends might not be able to tell that it’s not you. Since these message appear to come from you, you will have the burden of resolving any problems caused. It is simply better to protect your account from unauthorized access and avoid the unpleasant aftermath from losing control of your account.

Facebook provides two security tools that allow you to control access to your account from various devices. Login Approvals, which I covered in “Facebook Security: Using Login Approvals to keep bad guys out of your account“, sends a security code to you when your Facebook account logs in from a new computer or device. Login Notifications inform you when your Facebook account is used to login from a new, unrecognized device. Using these tools together, you can control your account access and to be informed when a new device is used to access it.

Login Notifications inform you when your Facebook account is accessed by an unrecognized device. Whenever you log into your Facebook account from a new device, you will be asked to give it a name. Once you do, Facebook will send you a text message and/or an email message telling you that your account was accessed from a new computer or device. If you were the person accessing your account, then you can ignore the message. If, however, it is not you, then the email message contains a link that you can click to secure your account and prevent the other person from using your account. If you are logged into Facebook when an unrecognized device is used to access your account, you will see a notification on the page and a message in your Notification drop-down menu. The notifications will have links for you to review the login and cancel it, if needed.

Enabling Login Notifications

Setting up your Facebook Account to use the Login Notification system requires that you register your mobile phone with Facebook. To register your mobile phone, check out my article “Facebook Security: Register Your Mobile Phone to Use Advanced Security Features“. Once you have that configured, you can receive codes from Facebook when you need to log into a computer that you do not own.

Setting up your Facebook Account to use the Facebook Login Approval system requires that you register your mobile phone with Facebook. Once you have that configured, you can request one-time passwords from Facebook when you need to log into a computer that you do not own.

  1. Click on the “triangle” drop-down menu in the upper right portion of the Facebook page.
  2. Select “Account Settings”. A new page will open.
  3. On the upper left portion of the Facebook page you will see a tab called “Security” with a gold badge icon next to it. Click on it.
  4. A list of security settings are presented. Look for “Login Notifications” and click on it.
  5. Select the methods by which you will be notified when your account logs into Facebook (email and text message) and click the “Save Changes” button.
Facebook account settings for Login Notifications
When you enable Login Notifications you may see a new window that describes some issues that may occur with the current configuration of your web browser. Review that information. You may need to make changes to your web browser configuration in order for Login Notifications to work well. The message from Facebook might also include some instructions on logging out of your account before Login Notifications begin to work.

Login Notification Considerations

Using the Facebook-provided tools for controlling access to your account can reduce the chances that someone can take over your Facebook account, but there are some things to remember when using these tools:

  1. With Login Notifications enabled for Email, you receive an email every time an unrecognized device is used to log into your Facebook account. If you suspect that someone is using your account without your knowledge, you can click the link in the email message to Secure Your Account. This will step you through the process of locking down your account to prevent misuse by others. If you enable text message notification only, there is no link in the message. You will need to log into Facebook and review the Active Sessions and remotely terminate access there.
  2. Facebook uses cookies to aid in recognizing computers and devices. If your web browsing is configured to delete cookies every time you quit the web browser software, then Facebook will attempt to approve your device every time you log into Facebook. You can either configure the web browser to not delete cookies when exiting or approve the device every time.
  3. Private browsing (or “Incognito Mode“) is a web browser mode that does not save cookies, your browsing history, and other web privacy related information. Accessing Facebook using a private browsing mode will require you to approve your device every time you log into Facebook. You can either avoid using private browsing or approve the device every time.
  4. If you are already logged into your Facebook account through a web browser, you will see a notification when your account is accessed from another computer or mobile device. From the Notifications drop-down menu you can cancel access to that device.
Facebook Login Notification through the web browser.

Resources

Check our guide: Own Your Space, “A Guide to Facebook Security

Facebook Extra Security Features

Categories
facebook security social media

Facebook Security: Using Login Approvals to keep bad guys out of your account

UPDATE (November 28, 2012): Added a link to recent post on Facebook Login Notifications.

If you want to stay in touch with your Facebook Friends throughout the day, sometimes you have to access your Facebook account using computers or mobile devices that you do not own. You may be a student and use the school’s computers. If you work in an office environment, your office computer might be the one you use. These devices can have malicious software that might capture your Facebook account username and password. Once an attacker, spammer, or malevolent person gets a hold of your Facebook account, they can make your life difficult by sending dangerous links or unsolicited commercial messages (spam) to your friends. Others may cause havoc for you personally by changing your status or profile, taunting and annoying your Facebook Friends, or sending obscene or hateful messages to other people. Since these message appear to come from you, you will have the burden of resolving the problems caused. It is better to protect your account from unauthorized access and avoid the unpleasant aftermath from losing control of your account.

Facebook provides two security tools that allow you to control access to your account from various devices. Login Approvals are used when your Facebook account logs in from a different computer or device. A security code is sent to you via text message. Login Notifications, which I covered in “Facebook Security: Use Login Notifications to Watch for Unauthorized Access“, inform you when your Facebook account is used to login from a new, unrecognized device. Using these tools together, you can control your account access and to be informed when a new device is used to access it.

Login Approvals work by sending you a text message to your registered mobile phone when you log into your Facebook account from a different computer or mobile device or from a different web browser. After your Facebook username and password are entered, Facebook sends you to a page where you are asked to enter your security code. Simultaneously, a text message is sent to your mobile phone. The text message contains a six-digit security code that you must enter on the web page. Once the security code is entered correctly, you will asked to create a name for the device. This allows you to assign a unique name that you can remember later when you review the devices you have previously approved. After that, you can use Facebook normally with the new computer or device. Someone with your Facebook account username and password will not be able to get your unique security code sent to your mobile phone, so they will not be able to access your Facebook account.

Enabling Login Approvals

Setting up your Facebook Account to use the Login Approval system requires that you register your mobile phone with Facebook. To register your mobile phone, check out my article “Facebook Security: Register Your Mobile Phone to Use Advanced Security Features“. Once you have that configured, you can receive codes from Facebook when you need to log into a computer that you do not own.

  1. Click on the “triangle” drop-down menu in the upper right portion of the Facebook page.
  2. Select “Account Settings”. A new page will open.
  3. On the upper left portion of the Facebook page you will see a tab called “Security” with a gold badge icon next to it. Click on it.
  4. A list of security settings are presented. Look for “Login Approvals” and click on it.
  5. Enable Login Approvals by selecting the checkbox. A window will open that describes Login Approvals and how it works. Click on the “Set Up Now” button to proceed.
  6. Facebook will send a text message to your mobile phone with a six-digit code. A window will open and ask you to enter the code you received. Enter the code and click “Submit”.
  7. Facebook will then ask you to name the computer you are using. This is your chance to choose a useful name that you can recognize later in a list of known devices. Choose a name for your computer, like “Home Computer” or “Work Laptop”, and click “Next”.
  8. Login Approvals are now enabled. A new window will open with some additional details and security warnings. These are important, so please read the information provided. Click “Next”.
  9. Another window will open and ask you to configure the Code Generator. I’ll cover the Code Generator in an upcoming article. For now, click “Not Now”.
Facebook Account Settings showing that Login Approvals are configured.

Logging into Facebook with Login Approvals

When you have Login Approvals configured, you will be asked to enter a code each time you log into your Facebook account from a computer or device you have not used previously. In Facebook terms, this is an “unrecognized” computer or device. When you use a different device, Facebook wants to make sure that it really is you. To do this, the code is sent to your mobile phone, which is the one piece of equipment that you are likely to have with you at all times.

Facebook Login requesting a Security Code

When you log into Facebook, enter your username and password as usual. If they are correct, you will receive a text message on your phone from Facebook. Enter that code on the “Enter Security Code” web page. Once you enter the correct code, you will be ask to choose a name for the device. Choose a unique name that will allow you to remember the device you are using.

If someone has been trying to log into your Facebook account but has not entered the correct code, Facebook will ask you to review those entries. This is your opportunity to see if your account is being targeted. In some cases, it might be you. You may have made a mistake will logging into your account. Review these attempts carefully though. It may mean that someone has your account password. While they didn’t get into your account, it might be a good time to change your password, just in case.

Login Approval Considerations

Using the Facebook extra security features like Login Approvals for controlling access to your account can reduce the chances that someone can take over your Facebook account, but there are some things to remember when using these tools:

  1. When you log into the Facebook mobile application, you will see a message indicating that a text message has been sent to your registered cell phone. Click “OK” and you will return to the login screen again. (You can exit the mobile application to retrieve the security code and then launch the mobile application again.) Enter the security code from the text message into the “Password” field. If entered correctly, you will be able to access Facebook through the mobile application. If you have Login Notifications enabled, you will also receive an email notifying you that your account was accessed on a mobile device.
  2. Facebook uses cookies to aid in recognizing computers and devices. If your web browsing is configured to delete cookies every time you quit the web browser software, then Facebook will attempt to approve your device every time you log into Facebook. You can either configure the web browser to not delete cookies when exiting or approve the device every time.
  3. Private browsing is a web browser mode that does not save cookies, your browsing, and other privacy related information. Accessing Facebook using a private browsing mode will require you to approve your device every time you log into Facebook. You can either avoid using private browsing or approve the device every time.
  4. If you lose your cell phone, you cannot receive the security code to log into your Facebook account from new devices. If this happens, you need to log into your Facebook account from a previously approved device, disable Login Approvals, and remove your cell phone from Facebook.
  5. If you delete your registered cell phone from Facebook, Login Approvals will be disabled automatically. An email will be sent indicating that it was turned off. You cannot use Login Approvals without a cell phone to receive the security code.
  6. You may need to create Facebook App Passwords for applications that cannot use Login Approvals. I will cover those in an upcoming article.

Resources

Check our guide: Own Your Space, “A Guide to Facebook Security

Facebook Extra Security Features