Facebook Hardens Authentication

facebookFacebook recently announced an improvement to it’s logon system.  Login security seems to be taking a position from and center lately.  Wednesday we wrote about Yahoo’s new authentication system, and today we will move on to Facebook’s Login Approvals.

Previously, Facebook users were able to get Login Notifications. When you entered your user name (usually your email address) and password from a new location, browser, or device, Facebook Notifications would send users an alert to their email.  This way you would be able to know someone had improperly accessed your account.  Unfortunately, this is a bit like locking the barn door after the horse goes missing.

Login Approvals, the new authentication service, will send a 6 digit code to your cell phone by text message any time you, or anyone else, tries to login from a new location, browser, or device.  Since theoretically only you will get the code, only you would be able to complete the login session.  An attacker would not.  Of course if you lose your phone…

You can also generate a code from the Facebook smartphone app, although when I tried this method out it took some digging to find the Code Generator.  (Open Facebook app, click on the pancake menu icon, scroll down to Help and Settings, click on Code Generator icon)

To turn on Login Approvals:

  1. Click the down arrow at the top right of any Facebook page
  2. Go to Settings > Security
  3. Click on Login Approvals
  4. Check the box and click Save Changes

Not hard to do.  I would recommend this to anyone, since Facebook account hijacking is second only to email account hijacking as a preferred target of cyber-criminals.  The reason, of course, is that once you have logged into either account, a tremendous amount of personal information can be gleaned with a little research, and can allow an attacker to craft a very clever personalized exploit.

More information


About the Author:

I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at http://wyzguyscybersecurity.com

Add a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.