Facing a growing firestorm over its privacy policies in the wake of its plans to work its identity system into the underlying fabric of the Internet, Facebook responds the way it always does: by releasing new features. Today in a well-timed blog post, Facebook explains how it is adding new security features make sure other people don’t login with your account. Given all the phishing attacks that are now commonplace on Facebook (even board member Jim Breyer got hit), better security is obviously needed.
In addition to constantly monitoring for suspicious login activity in the background, Facebook now allows you to set which devices (laptops, phones, etc) you normally login from, and you can opt in to get a notice whenever somebody logs in from a different device. Facebook is also working behind the scenes to block logins from suspicious sources by asking security questions much like Gmail does, although Gmail doesn’t go down to the device level (it looks at where people are logging in from).
All of this is long overdue. Facebook is a big fat target for scammers because people implicitly trust their friends and don’t think twice about clicking on links sent from them. So any measures to improve login security are welcome.
But this announcement does not answer the security questions associated with Facebook’s larger ambitions to bring “instant personalization” to other Websites via its Open Graph (with Like buttons, auto-login, and other features). Maybe the answer is somewhere in Facebook’s ever growing privacy policy, which is now longer than the U.S. Constitution.