Although it’s not apparent to many, Facebook is in the process of transforming itself from the world’s most popular social-media website into a critical part of the Internet’s identity infrastructure. If it succeeds, Facebook and Facebook accounts will become an even bigger target for hackers.
As security professionals debate whether the Internet needs an “identity layer”—a uniform protocol for authenticating users’ identities—a growing number of websites are voting with their code, adopting “Facebook Connect” as a way for anyone with a Facebook account to log into the site at the click of a button.
Facebook introduced Connect back in July 2008, offering third-party websites tools to coordinate with the user information that Facebook holds, including logins. Thus websites had the option of allowing Facebook users to identify themselves with their Facebook identities.
So, for instance, the Web statistics vendor Alexa gives new users the choice of creating an account by entering a username and a password or by simply clicking the “Connect with Facebook” button. Well-known websites that also use Connect include the Internet Movie Database, Ask.com, and ESPN. Others will almost certainly jump on the bandwagon in 2011.
Facebook’s identity system might very well supply something that VeriSign, Microsoft, Yahoo, and Google have all struggled to offer: a single “driver’s license” for the Internet. (This leaves aside the question of whether it’s a good thing for one company to hold such a position of power.)
A unique combination of factors makes Facebook well suited to being the repository for people’s identities on the Internet. Unlike many popular websites, it requires users to register and log in. And Facebook’s terms of service require that “users provide their real names and information”—indeed, Facebook has terminated accounts that were created with seemingly fake names or for fictional characters. Since Facebook users invest their accounts with a tremendous amount of durable personal content—including photographs, contact information, and connections to their social network—they are likely to keep a long-term relationship with the site.
This persistence of real identity puts Facebook in a position to solve one of the most pressing problems on the Internet today—the proliferation of user names and passwords.
Contrary to today’s practice, there is no reason for most websites to force their users to create usernames and passwords. Most websites don’t need or even want or need to manage the identities of their users—they simply want a way to reliably identify their users over time. Media websites, for instance, want to be able to attribute comments and limit spam. Personal-finance websites want to give users a way to monitor highly personal information securely—for example, a portfolio of stocks that the user might enter.
What’s more, maintaining a user-identity infrastructure has its risks—as was made painfully clear last month when hackers broke into servers operated by Gawker Media and downloaded the user names and passwords for more than a million of Gawker’s accounts. Even though the passwords were encrypted, many were easy to guess, so the accounts could be readily cracked, according to an analysis of the attack by security researchers at the University of Cambridge. Following the attack several unrelated websites, including LinkedIn and Woot, sent e-mail to their users warning them to change their passwords if these were the same ones as they used for Gawker.
Facebook Login lets any website on the planet use its identity infrastructure—and underlying security safeguards. It’s easy to implement Facebook Login, simply by adding few lines of code to a web server. Once that change is made, the site’s users will see a “Connect with Facebook” button. If they’re already logged into Facebook (having recently visited the site), they can just click on it and they’re in. If they haven’t logged in recently, they are prompted for their Facebook user name and password.
An interesting side benefit for website operators is that Facebook Login provides the site with users’ real names (in most cases) and optionallya variety of other information, such as the users’ “friends” and “likes.” Currently, Facebook doesn’t charge websites to use its identity infrastructure or access this additional information, though Facebook certainly could in the future.
Facebook is already well acquainted with Internet security issues, simply because it holds personal data for more than 500 million people. The increased use of the Facebook platform for things beyond social media—a bank in New Zealand, for instance, announced in November that it would allow customers to access banking information on Facebook—obviously raises new concerns. And if the company extends its reach to offer a universal login on the Web, the challenges it’s likely to face will become greater still.
Indeed, over the last few years Facebook has taken steps to improve the security of its platform in several ways.
For example, last year Facebook introduced a system that lets users request a one-time password to log in from a public terminal that might have keystroke-logging spy software installed. Users send an SMS text message containing the letters “otp” to 32665 (“FBOOK”) from a registered cell phone, and Facebook’s servers send back a password that can be used just once to log into the user’s account. The theory is that it doesn’t matter if a hacker is running a password sniffer, since the password won’t work a second time.
Another innovation is the way that Facebook allows users to monitor the various Web browsers and devices from which they log into Facebook. By clicking on the “Account Settings” pull-down menu and selecting the “Account Security” section, Facebook users are able to see all of the devices currently authenticated, any of which can be remotely logged out—useful if you happen to leave yourself logged in on your parents’ computer. You can also have Facebook send an SMS notification to your cell phone whenever a new device accesses your Facebook account. Of course, if you see a connection from a machine that you don’t recognize, it’s time to change your password.
Unfortunately, Facebook still has two important vulnerabilities that makes its website significantly less secure than those of most U.S. banks: its reliance on a single user name and password to gain access to an account, and its use of an unencrypted cookie for tracking which web browsers are logged in.
The user name and password combo provide a point of weakness. Facebook accounts can be compromised by an attacker who might steal this information from another site—or guess it by trying many combinations in succession (a so-called brute-force attack).
“We’ve built systems to protect against these types of brute-force attacks,” says Simon Axten, a spokesperson for Facebook. “For example, if we detect a number of suspicious login attempts for a given account, we will require a CAPTCHA, and we may even temporarily suspend access to the account.”
Facebook monitors a number of “signals,” including location and device, Axten says, to determine when an account is being subjected to a sustained attack. “Once we’ve flagged an attempt—even if the correct login credentials have been entered—we’ll require the person logging in to provide additional authentication by, for example, answering a security question, entering a code sent via SMS, or identifying friends tagged in photos to which the account owner has access.”
Nonetheless, there are ways to gain access to a person’s Facebook account even without knowing the password. That’s because Facebook uses something called an authentication cookie to keep track of a Web browser when it’s logged in. Unlike Facebook passwords, which are encrypted when they’re sent over the Internet, the cookies are sent to Facebook’s non-encrypted Web servers every time a computer communicates with the site. This isn’t much of a risk if you are using a hard-wired Internet connection or an encrypted wireless connection at work or at home. But if you are using Facebook over an unencrypted wireless access point at a coffee shop or airport, someone running a packet sniffer on a laptop could steal your authentication cookie out of the air and then log into Facebook as you.
Such sniffing became easier than ever to perpetrate last fall, when Eric Butler, a freelance Web application and software developer in Seattle, released a Firefox plug-in called Firesheep that automates the process. With Firesheep running inside Firefox, you get a list of every authentication cookie that’s been sniffed: just click on the account name and—voilà—you are accessing the user’s account without even having to log in.
Right now the only way to protect yourself against cookie sniffing is by accessing Facebook using the encrypted connection at https://ssl.facebook.com/. According to Axten, the server is still undergoing testing and will be more widely promoted as an option “in the coming months.” He adds, “As always, we advise people to use caution when sending or receiving information over unsecured Wi-Fi networks.”
Axten says, “Facebook faces a security challenge that few, if any, other companies, or even governments, have faced—protecting more than 500 million people on a service that is under constant attack. The fact that less than one percent of Facebook users have ever encountered a security issue on the site is a significant achievement of which we are very proud.”