By David Tran on November 2nd, 2012

In mid 2011, Facebook announced the incorporation of two factor authentication using mobile devices to authenticate their users and to protect against fraud attacks.  The service is an opt-in security feature known as ‘Login Approvals’ to Facebook users and requires users to enter a code that is sent via text message to a user’s mobile phone when logging into their account from a new or unrecognized computer.  Once users enter in the unique code, they have the option of saving the device so that they do not see the challenge on future logins.  This additional layer of security helps prevent unauthorized access for Facebook users.  The majority of users primarily have static usernames and passwords associated with their accounts which can be easily hacked and in turn can expose their personal information on their Facebook profiles such as their personal emails, personal messages, mobile numbers, and other private data.

Facebook’s ‘Login Approvals’ is a form of two-factor authentication since it uses a user’s login and password, something they know, and it sends a unique one-time pass code via SMS text message to a user’s mobile device, something they have, to authenticate the user.  The user then enters the code into the command prompt to gain access to their account.

If a Facebook user somehow loses their phone and has the ‘Login Approvals’ feature turned on, they can still access their account using a saved device which has been granted access.  Having recognized machines helps users prevent unauthorized access, prevents lockouts, and ensures users access to their accounts.

Recently, Facebook removed the mobile phone numbers of users who have enabled the optional ‘Login Approvals’ from Facebook’s search engine so that those mobile numbers are not able to be searched through a reverse-lookup.  Before, updates to the Facebook algorithm allowed users to enter in a mobile number and were able to see if that mobile number was tied to a ‘Login Approvals’ of a user.    This means that if you knew someone’s mobile phone number, or guessed random numbers, you could potentially find a person’s identity if they linked their mobile number in Facebook’s ‘Login Approvals.’  This could have caused major security breaches if not corrected.  This security flaw could have been abused to search for countless numbers of sequential phone numbers in order to find any Facebook profiles associated with them.

Facebook has disabled this reverse-lookup feature for users that use their mobile phone to authenticate a login, but reverse-lookup is still enabled for all other users who display their phone numbers publicly.  The new restriction only applies to mobile phone numbers used for two-factor authentication and not every phone number added by users in the ‘Contact Info’ section of their profile pages.

The ‘Login Approvals’ is still a strong security feature which helps protect users against unauthorized access and prevents account abuse in cases where a user’s password is compromised.   Facebook is developing a new system that will allow users to decide whether they want to make their mobile numbers used in ‘Login Approvals’ searchable and currently the search restriction for ‘Login Approvals’ is temporary until a new system is implemented.  Similar features on other websites require users to download authentication software, apps, or purchase physical tokens to act as the second factor, but require a lot from users before being able to turn on the security feature.  We believe that Facebook has decided to use a two-factor authentication system using mobile devices because it is easy to implement, cost effective, and only requires users to have their mobile phone to authenticate them.  Facebook users can enable ‘Login Approvals’ from the ‘Account Security’ section of the account settings page.  If you have a Facebook account, you may want to consider enabling this feature to increase security of your account and decrease unauthorized access.