Privacy and security issues have generated a lot of criticism of Facebook in the past, some of which has been published here on the ESET Threat Blog. So it is only fair that we give Facebook credit for positive steps it has taken on the security front. One security measure that has impressed me recently is Login Approvals, a feature which improves your ability to protect your Facebook account from persons with less than honorable intentions.

When you activate Login Approvals and Login Notifications on your Facebook account--using the steps listed below--you are required to give a name to any device you use to access Facebook. This enables Facebook to notify you whenever a new device logs into your Facebook account, using an email like this:

In this case, I was setting up Facebook access on my new Kindle Fire tablet. As you can see, I was doing this in San Diego on New Year's Day. Note that Facebook provides a link to click if you do not recognize the device as one you have approved. The approval of a new device requires a one-time security code that Facebook sends to your mobile phone as a text mesage. Here's what that looked like on my iPhone (yes, that's my dog in the background).

To register the Kindle Fire as an approved device on my Facebook account I had to enter the code from the SMS message when prompted to do so by Facebook on the Kindle.

In computer security we call this technique "out of band authentication" because credentials are supplied through a different communication channel or band from the system to which you are authenticating. While out of band authentication is not impossible to defeat, it adds a significant hurdle to someone trying to compromise your acount.

Suppose I had received the email above but did not recognize the device name and/or location. I would then be able to investigate what was happening and take steps to protect my account (you can choose to get notifications via email or SMS or both).

Setting up Login Approval on Facebook is relatively straighforward once you know it is there. The only prerequisite is that you have a mobile phone registered to your Facebook account (something you can do in your Account Settings). The following diagram shows you the steps required to activate Login Approvals. After activation you will be prompted to approve each of your devices the next time you use them to access Facebook. You should also make sure that the Login Notifications setting is also enabled.