Facebook's New Security Feature Made Me Think Too Hard About Who My Real Friends Are
Bad opsec is other people.
The biggest problem with most technological security features is the huge onus they place on the user to know what the hell they're doing.
Facebook recently launched a security feature that spreads the responsibility of getting back into your account among a few select friends, so you can log in after losing access to your password, email, and phone number. Select at least three trustworthy people, and they're given a URL with a code. Combine three codes correctly, and you're allowed back in.
It's well-documented that I can be a technological moron myself—at least when it comes to misusing well-intended security features for self-owns. This one, at first glance, seems to be another one of those cases: What if I chose unwisely? What if I don't know my fake friends from my real friends? I'm suspicious.
"Account recovery is essentially one of the hardest cases to securely design and build," security researcher Jessy Irwin told me in a Twitter direct message. "This kind of recovery and access scheme—splitting up the 'key' to get into something among separate people—is actually used in many, many places and secures the entire internet." The concept of secret sharing is used everywhere from ICANN's procedures for recovering from an attack, to bank accounts and missile launch codes.
The stakes aren't as high as a missile launch on Facebook, but the concept is the same: Spreading the keys around. "If it's done wrong (insecurely and unsafely), it can allow a malicious attacker or total jerk to take over your account with just a little bit of information about you," Irwin said, "which would suck."
Joseph Lorenzo Hall, chief technologist at the Center for Democracy & Technology, told me in an email that choosing responsible friends is the whole crux of this feature. "This works great as long as you can be sure that you are properly identifying your friends, and that your friends also take good care of their accounts," he said. It'd be helpful if Facebook would show you which of your friends also have two-factor login authentication enabled, Hall said, but the prompts it gives in the process of picking friends don't show that.
"If enough of your trusted friends get phished, their accounts could be used to take over yours," Jacob Hoffman-Andrews, senior staff technologist at the Electronic Frontier Foundation, told me. For someone who has memory problems, it could help them avoid getting locked out of their account. But for most people, it's probably an unnecessary step. "I wouldn't recommend this recovery feature to people who have average to high security needs, and either good memory or a password manager," Hoffman-Andrews said.
In theory, if the friends I chose all know that they are my picks for account recovery, and if they're feeling devious, they could collude to get into my account without my email or phone number. I reached out to Facebook to ask for details about the feature development and design, but haven't heard back.
Since you have to choose at least three friends, it seems unlikely that someone with malicious intent and an intimate knowledge of your life—like a vengeful ex-partner or soured relationship—could hack into your account using this feature alone. Ideally, Facebook would send occasional reminders to review and update your friend selections. It at least warns you to call (instead of text or email) your friends for the code, so you know for sure it's coming from them.
Ultimately, the success of this feature depends on how well you know your friends. For my own little Fellowship of the Forgot My Fucking Password Ring, I assigned my Legacy Contact—the person officially tasked with caring for my Facebook account after I die—as one, my mom, and one other reliable friend. These are relationships that are unlikely to change, or at least end in a "I'm gonna try to hack you and ruin your online life" way, so they seemed like safe bets. But it did make me think about my relationship with each person and their ability and willingness to come through for me when I need them. If I'm desperately locked-out of my digital house, will these three rescue me?
Facebook sent each of them a notification that I chose them as my account recovery buddy. Like most features on Facebook—the "On This Day" throwbacks, little videos of "friendiversaries," and especially the Legacy Contact—this one's an emotional thirst trap dressed up like a helpful service. Reinforcing tenuous attachments to fake friends is what Facebook does best.
So we can think of this like a Myspace Top 8, but for account recovery. Maybe the warm and fuzzy feelings of being responsible for each other's digital wellbeing is just another way to keep us hooked.
Update: A Facebook spokesperson sent us the following comment:
"In 2013, Facebook launched Trusted Contacts so you can choose 3-5 friends to securely help if you ever have trouble accessing your account. You can choose and manage your trusted contacts anytime from your Security Settings, and it's important to choose people you trust, like friends you'd give a spare key to your house. For more information about Trusted Contacts, please visit here.