Facebook adds remote logout and new security features to alert users of unfamiliar logins

Facebook has been busy lately adding more security features to discourage or even eliminate unauthorized logins. I first noticed this a week ago when I tried to login to Facebook from Starbucks. It detects a different IP and if you mistype your password, it will go through a series of authentication steps to verify your identity. Users are presented with Facebook’s version of the roadside sobriety test.

Facebook has been busy lately adding more security features to discourage or even eliminate unauthorized logins. I first noticed this a week ago when I tried to login to Facebook from Starbucks. It detects a different IP and if you mistype your password, it will go through a series of authentication steps to verify your identity. Users are presented with Facebook’s version of the roadside sobriety test. You are given a series of pictures from your friends albums and multiple choice of names. You must match the names to the photos with a few opportunities to get it wrong. The problem with this method is that it assumes I know all my Facebook friends by look. In an ideal world, I may know most of them by their headshots but when presented with a picture of their foot or a closeup of their pet turtle, how am I suppose to identify them?

Yesterday, Facebook began rolling out a new opt in security feature to detect and authorize login devices. To enable this feature, follow these steps:

Login Notifications are an opt-in security feature that send alerts when your account is being accessed. If you have not already opted in to receiving these notifications, you can do so by carefully following the steps provided:

  1. From the Account Settings page, select “Change” Account Security.
  2. Select “Yes” to opt in to receiving Login Notifications via email. Also, toggle “SMS (mobile text)” if you would also like to receive a text message to the mobile phone associated with your account. If you have not already added a mobile phone number to your account, you can do so here.
  3. After opting-in to receive Login Notifications, you will be prompted to name your Approved Device during your next login. Do not toggle the “Save this device” option if you are accessing your account from a public computer.
  4. Once you have named your Approved Device, a notification will be sent to the email address associated with your account and your mobile phone if you selected that option.

If you receive a Login Notification and the login was not made by you, you will find instructions in the email or text on how to reset your password in order to secure your account from being compromised. For more information about keeping your account secure, please visit our Security page.

It appears they are using a combination of IP and session cookies to detect when you are attempting to login from a device not attached to your account’s history. When this happens, you will be presented with an opportunity tell Facebook the name of the computer such as home, work, etc. It will then follow up with an email and SMS message alerting you to the change. The theory is that if you did not authorize this change, you will know someone has logged in with your user name and password. As you build up your list of authorized devices, they will be displayed in your setting page along with the option to de-authorize any of those devices.

Facebook security settings page
Facebook security settings page

As with most security features, there is going to be a trade off between convenience and security. Those who use many different devices to login may find the extra steps annoying while those who want more security will welcome the change. The great thing about this feature is that everyone can have it their way. Remember this is an opt-in only system so you must turn it on.

In the coming weeks, Facebook will begin rolling out a remote logout feature. Under the same settings page, users will be able to logout active sessions if they find their accounts are logged in from a device unfamiliar to them. The feature will only be available from computer and not mobile devices.