UPDATE (November 28, 2012): Added a link to recent post on Facebook Login Notifications.

If you want to stay in touch with your Facebook Friends throughout the day, sometimes you have to access your Facebook account using computers or mobile devices that you do not own. You may be a student and use the school’s computers. If you work in an office environment, your office computer might be the one you use. These devices can have malicious software that might capture your Facebook account username and password. Once an attacker, spammer, or malevolent person gets a hold of your Facebook account, they can make your life difficult by sending dangerous links or unsolicited commercial messages (spam) to your friends. Others may cause havoc for you personally by changing your status or profile, taunting and annoying your Facebook Friends, or sending obscene or hateful messages to other people. Since these message appear to come from you, you will have the burden of resolving the problems caused. It is better to protect your account from unauthorized access and avoid the unpleasant aftermath from losing control of your account.

Facebook provides two security tools that allow you to control access to your account from various devices. Login Approvals are used when your Facebook account logs in from a different computer or device. A security code is sent to you via text message. Login Notifications, which I covered in “Facebook Security: Use Login Notifications to Watch for Unauthorized Access“, inform you when your Facebook account is used to login from a new, unrecognized device. Using these tools together, you can control your account access and to be informed when a new device is used to access it.

Login Approvals work by sending you a text message to your registered mobile phone when you log into your Facebook account from a different computer or mobile device or from a different web browser. After your Facebook username and password are entered, Facebook sends you to a page where you are asked to enter your security code. Simultaneously, a text message is sent to your mobile phone. The text message contains a six-digit security code that you must enter on the web page. Once the security code is entered correctly, you will asked to create a name for the device. This allows you to assign a unique name that you can remember later when you review the devices you have previously approved. After that, you can use Facebook normally with the new computer or device. Someone with your Facebook account username and password will not be able to get your unique security code sent to your mobile phone, so they will not be able to access your Facebook account.

Enabling Login Approvals

Setting up your Facebook Account to use the Login Approval system requires that you register your mobile phone with Facebook. To register your mobile phone, check out my article “Facebook Security: Register Your Mobile Phone to Use Advanced Security Features“. Once you have that configured, you can receive codes from Facebook when you need to log into a computer that you do not own.

1. Click on the “triangle” drop-down menu in the upper right portion of the Facebook page.
2. Select “Account Settings”. A new page will open.
3. On the upper left portion of the Facebook page you will see a tab called “Security” with a gold badge icon next to it. Click on it.
4. A list of security settings are presented. Look for “Login Approvals” and click on it.
5. Enable Login Approvals by selecting the checkbox. A window will open that describes Login Approvals and how it works. Click on the “Set Up Now” button to proceed.
6. Facebook will send a text message to your mobile phone with a six-digit code. A window will open and ask you to enter the code you received. Enter the code and click “Submit”.
7. Facebook will then ask you to name the computer you are using. This is your chance to choose a useful name that you can recognize later in a list of known devices. Choose a name for your computer, like “Home Computer” or “Work Laptop”, and click “Next”.
8. Login Approvals are now enabled. A new window will open with some additional details and security warnings. These are important, so please read the information provided. Click “Next”.
9. Another window will open and ask you to configure the Code Generator. I’ll cover the Code Generator in an upcoming article. For now, click “Not Now”.

Logging into Facebook with Login Approvals

When you have Login Approvals configured, you will be asked to enter a code each time you log into your Facebook account from a computer or device you have not used previously. In Facebook terms, this is an “unrecognized” computer or device. When you use a different device, Facebook wants to make sure that it really is you. To do this, the code is sent to your mobile phone, which is the one piece of equipment that you are likely to have with you at all times.

When you log into Facebook, enter your username and password as usual. If they are correct, you will receive a text message on your phone from Facebook. Enter that code on the “Enter Security Code” web page. Once you enter the correct code, you will be ask to choose a name for the device. Choose a unique name that will allow you to remember the device you are using.

If someone has been trying to log into your Facebook account but has not entered the correct code, Facebook will ask you to review those entries. This is your opportunity to see if your account is being targeted. In some cases, it might be you. You may have made a mistake will logging into your account. Review these attempts carefully though. It may mean that someone has your account password. While they didn’t get into your account, it might be a good time to change your password, just in case.

Login Approval Considerations

Using the Facebook extra security features like Login Approvals for controlling access to your account can reduce the chances that someone can take over your Facebook account, but there are some things to remember when using these tools:

1. When you log into the Facebook mobile application, you will see a message indicating that a text message has been sent to your registered cell phone. Click “OK” and you will return to the login screen again. (You can exit the mobile application to retrieve the security code and then launch the mobile application again.) Enter the security code from the text message into the “Password” field. If entered correctly, you will be able to access Facebook through the mobile application. If you have Login Notifications enabled, you will also receive an email notifying you that your account was accessed on a mobile device.
2. Facebook uses cookies to aid in recognizing computers and devices. If your web browsing is configured to delete cookies every time you quit the web browser software, then Facebook will attempt to approve your device every time you log into Facebook. You can either configure the web browser to not delete cookies when exiting or approve the device every time.
3. Private browsing is a web browser mode that does not save cookies, your browsing, and other privacy related information. Accessing Facebook using a private browsing mode will require you to approve your device every time you log into Facebook. You can either avoid using private browsing or approve the device every time.
4. If you lose your cell phone, you cannot receive the security code to log into your Facebook account from new devices. If this happens, you need to log into your Facebook account from a previously approved device, disable Login Approvals, and remove your cell phone from Facebook.
5. If you delete your registered cell phone from Facebook, Login Approvals will be disabled automatically. An email will be sent indicating that it was turned off. You cannot use Login Approvals without a cell phone to receive the security code.
6. You may need to create Facebook App Passwords for applications that cannot use Login Approvals. I will cover those in an upcoming article.

Resources

Check our guide: Own Your Space, “A Guide to Facebook Security”

Facebook Extra Security Features

Some Facebook users access Facebook using a variety of computers, some of which they do not own. If you are at the library and want to ask a question of your teacher or fellow students, you can use a library computer to log into Facebook and ask your question. If you are visiting a friend’s house and want to share a photo you just took with your friends on Facebook, you can log into your Facebook account and upload the photo. You may just be hanging out at a cafe and want to check into Facebook to see what’s going on. You can use the cafe’s computer to check in at Facebook. But have you thought about that computer on which you are logging into Facebook?

Not every computer is safe to use. Personal computers are the targets of spammers and attackers and are often hosts to malicious software. Malware known as “keystroke loggers” can record every character you type on the keyboard, including all of the ones for your online account usernames and passwords. Once collected, those usernames and passwords can be used to access your online accounts without your permission, and perhaps without your knowledge. Keystroke loggers and other malicious software can be “installed” by deceiving the user or using vulnerabilities in software on the computer. Users can be tricked into installing software that appears to be legitimate but is not. Other types target and exploit weaknesses in the software of the web browser, an extension or plugin, or even the operating system itself.

One-time passwords are a way of authenticating yourself to a system through the use of a single-use secret that is specific to you and may have a limited time period of validity. In other words, you have two passwords. One that you know. One that is generated for you or sent to you. You have to have both passwords to log in. Some one-time password systems involve the creation of one-time passwords through a software tool, having a printed list of passwords that you carry with you, or a small hardware device that displays a new series of numbers every minute.

Facebook’s one-time password system uses your mobile phone and its text message capabilities. When you need to log into Facebook on a public computer or someone else’s, you send a text message to Facebook and within a minute or so you will receive a message back with a six-digit number, which is your one-time password. This password is valid for twenty minutes. In order to use the Facebook one-time password system, you will need to register and verify your mobile phone with Facebook first. This is necessary to prove that you are the owner of the phone number for your mobile phone.

Facebook also added the ability to generate the one-time password using the Facebook Mobile App. I’ll cover that App in a future article.

Enabling One-time Passwords

Setting up your Facebook Account to use the Facebook One-time Password system requires that you have a registered mobile phone with Facebook. I cover registering your mobile phone in another article. Once you have that configured, you can request one-time passwords from Facebook when you need to log into a computer that you do not own.

Requesting a One-time Password

Here is how to request a one-time password to log into Facebook from a public computer or someone else’s computer:

1. Use your registered mobile phone and send a text message with the message “otp” to 32665 (“FBOOK”), which is the SMS short code for Facebook. Within a minute or so, you should receive a text message in reply with a one-time password.

   

2. Go to the Facebook login page. Enter your Facebook email account username and the 6-digit one-time password into the password field. If you entered everything correctly and within the twenty minute time period, you should be logged into Facebook.

One-time Passwords Considerations

One-time passwords reduce the likelihood that your Facebook password will be captured by spammers or attackers, but there are some things to keep in mind.

1. Any computer can be untrustworthy, including your own. Your best defense is to make sure your computer has the latest software updates installed and that your anti-virus software is updating daily and scanning the system regularly. Always install the updates when prompted and enable auto-updates, if available. Does this mean that you should use one-time passwords on your own computer? The answer might be “yes” if you have not applied updates in a while or have no anti-virus software installed.
2. Sometimes the Facebook One-time Password system may not send a response quickly after you request a one-time password. Be patient. They usually arrive within a minute.
3. The one-time passwords that you receive from Facebook over SMS are valid for twenty minutes. If you request one and are not able to log in before the twenty minutes are up, just request another one.

Resources

Check our guide: Own Your Space, “A Guide to Facebook Security”

Facebook Extra Security Features

Facebook has added several security features to keep your account safe from attackers and spammers. Some of these features use your mobile phone to alert you about activity on your account and to request and receive security codes to log into your Facebook account. Facebook One-time Passwords allow you to request a unique code to log into your account from untrusted public or borrowed computers. This system protects your account because you need your account password and a code that is sent to your phone. Facebook Login Approvals send codes to your mobile phone when you log into your Facebook account from a computer that you have not used before. Facebook Login Notifications alert you when your account is accessed from a computer have not used before. All of these advanced Facebook security features take advantage of a device that you are likely to be carrying nearly all of the time. Mobile phones are a quick way for Facebook to notify you about login activities on your account and to give you access to your account when you are using a different computer.

To use these features, you need to register your mobile phone with Facebook. By registering, you confirm that you are the owner of the phone. The registration process is designed to ensure that you have the phone in your possession. This is accomplished by having you send a brief message to Facebook’s text messaging number. Once you do, you will receive a reply text message with a code that you then enter into mobile phone configuration on Facebook’s web site.

UPDATE (November 26, 2012): Facebook has started rolling out HTTPS by default for all users. More information was released in a November 14, 2012 Platform Update on the Developer Blog.

In October 2010, Eric Butler demonstrated a problem with open networks. It’s easy to capture network data and steal authentication credentials (a “cookie”) from other wireless users. It’s especially easy to do on open wireless networks. So easy, that Eric created a simple Mozilla Firefox plugin for everyone to try called Firesheep. Using this simple tool, anyone could grab the cookie that allowed an authenticated user to browse their private web pages from sites like Twitter and Facebook. Very easy.

In response, Facebook and many other sites provided a security feature to prevent Firesheep and similar tools from working. They now provide the option to encrypt your entire session over the Secure Socket Layer or SSL. This is also referred to as “https”. When your session is encrypted, other network users cannot see the data you send and receive. You also guaranteed to be communicating with a legitimate Facebook server because SSL provides server authentication as well. On Facebook, this advanced security feature is called “Secure Browsing”.

Enabling Secure Browsing

It is a good idea to enable this feature. Here is how you do that:

1. Click on the “triangle” drop-down menu in the upper right portion of the Facebook page.
2. Select “Account Settings”. A new page will open.
3. On the upper left portion of the Facebook page you will see a tab called “Security” with a gold badge next to it. Click on it.
4. A list of security settings are presented. Look for “Secure Browsing” and click on it.
5. The option to enable Secure Browsing will slide down. Select “Browse Facebook on a secure connection (https) when possible” and click the “Save Changes” button.
6. Reload the Facebook pages you have open. You should now be able to verify in your web browser that the connection is encrypted to prevent eavesdropping.

Once you have Secure Browsing enabled, you’ll notice that your web browser location bar will change. It will display a lock indicating that the site uses SSL.

Secure Browsing Considerations

There are many advantages to using Facebook Secure Browsing and no significant disadvantages. Once enabled, you no longer have to worry as much about your information being captured over the network, having your account compromised through session hijacking, and that you are connected to a legitimate Facebook server through server authentication. Facebook also now requires all third-party developers to provide SSL-enabled Apps through the Facebook platform. This means that the Facebook Apps you use are exchanging your information over an encrypted communications channel using SSL. One common complaint is that using SSL is slow. Most modern computers and laptops are so fast that there is literally no noticeable delay when using Secure Browsing. Facebook and other services also use very fast servers that can crunch through the cryptographic operations quickly too. You should see no delay that can be traced to Secure Browsing.

Just remember that you can be fooled. Periodically check your web browser location bar for the lock symbol. Some attackers create fake web sites (called “phishing” sites) to capture usernames and passwords by tricking users into thinking they are using the correct web site. If the lock is not present, then your information is not private and may have been compromised. If in doubt, return to the real Facebook URL.

Resources

Check our guide: Own Your Space, “A Guide to Facebook Security”

Facebook Extra Security Features