This week Facebook announced the availability of new security features for its users. Two significant features of note are the always-on "HTTPS" secure sessions, as well as the availability of two-factor authentication (aka strong authentication).
The use of "HTTPS" by websites enables secure information transmission, which helps protect users when sharing or sending personal information online. Many popular websites have added the HTTPS (where the "S" at the end of HTTP stands for "secure") this year due in part to the availability of interception tools like Firesheep. The presence of an SSL (secure sockets layer) certificate is what makes the HTTP session secure [see example: VeriSign SSL]. The implementation of HTTPS by Facebook is currently an opt-in feature but it would be to the benefit of all Facebook users to make this a default setting.
Two-factor, also known as strong authentication, is another layer of protection that addresses the outdated model of the "username and password" for authenticating a user, a model that far too many websites still use today and provides little to no security. Two-factor authentication works by requiring a user to provide not just a username and password, but also a unique, one-time use security code generated by a user's authentication credential. The credential can sit within the user's web-accessing device of choice (ie: their laptop or iPad), or within a mobile phone or other form factor that generates a one-time code at the press of a button. [See example: Symantec's VeriSign Identity Protection (VIP) Authentication Service]
According to the Facebook blog post announcing their new security tools, their strong authentication is only required when a user logs on from a new device or computer for the first time. Although this is a step in the right direction, requiring users to authenticate every time they logon to Facebook with a one-time security code would be far more impactful by offering greater levels of security.
The adoption of these features by Facebook provides a much needed layer of security to its users and should be considered by the growing number of social networking websites that have quickly become a favorite target of fraudsters and identity thieves. We are excited to see these steps being made; now, it's a matter of educating users on why the opt-in security settings are important and how to turn the settings on.