Facebook is introducing two new measures to beef up security: expanding HTTPS connections as an all-the-time option and using social captchas to authenticate users who have lost passwords. Let’s take these one at a time.
HTTPS is a secure connection (more secure than plain-vanilla HTTP connections), and Facebook already uses HTTPS for when you log into an outside site through Facebook Connect and send your passwords back to Facebook. But now you will have the option to set HTTPs as the default connection for everything you do on Facebook itself. Pages will load slower over HTTPS, but you also won’t be vulnerable to people sniffing your password over WiFi using something like Firesheep. (Maybe Facebook should offer a “more secure” on/off button you could click every time you are not on a secure network at your home or office). Some app developers will need to use a new “Secure Canvas URL” so that their apps can also be accessed over HTTPS.
The social captcha feature is pretty clever. It will replace regular captchas (those slightly warped letters you are asked to re-enter to prove you are human) with a picture of one of your friends. You will need to identify the person to authenticate yourself when you are trying to retrieve a lost password or Facebook detects suspicious login activity on your account. You do know what all your “friends” look like, don’t you?