Introducing Login Approvals

By Andrew Song on Thursday, May 12, 2011 at 9:58am

Facebook has always been committed to both protecting our users' account and information, as well as giving them more control over their Facebook experience.  From our User Operations team, who work to re-secure compromised accounts, to the Engineering team that designs and implements new security features like login notifications, one-time passwords, and remote session management, everyone at Facebook is working to ensure users have a safe, enjoyable experience.

 

Even interns like myself are tasked with big projects to help improve account security.  Instead of working on mundane tasks and simple problems, interns are given high-impact assignments that reach out to hundreds of millions users every time they use Facebook.  

 

Today, we’re announcing our newest opt-in security feature that I’ve worked to build over the past few months: Login Approvals.

 

 

As more individuals and businesses turn to Facebook to share and connect with others, people are looking to take more control over protecting their account from unauthorized access. Login approvals is a Two Factor Authentication system that requires you to enter a code we send to your mobile phone via text message whenever you log into Facebook from a new or unrecognized computer. Once you have entered this security code, you’ll have the option to save the device to your account so that you don’t see this challenge on future logins.

 

 

If we ever see a login from an unrecognized device, you'll be notified upon your next login and asked to verify the attempted account access.  If you don’t recognize this login, you'll be able to change your password with the knowledge that while some one else may have known your login credentials, they were unable to access your account and cause any harm.

 

 

If you ever lose or forget your phone and have login approvals turned on, you will still have the option to authorize your login provided you are accessing your account from a saved device.  Having these recognized machines associated with your account prevents lockout and ensures that you can regain access to your profile.

 

One challenge in building login approvals was balancing security and usability.  Similar features on other websites require you to download authentication apps or purchase physical tokens to act as your second factor.  These are good approaches, and we're considering incorporating them in the future, but they require a lot from the user before being able to turn on the feature.  To have the biggest impact and provide this added security to the most people, we decided on SMS as the best choice for a second factor.  That's a big part of the culture here at Facebook, whether you're an intern or an old hand: focus on impact.

 

Andrew Song, a Facebook engineering intern, is building new ways for people to protect their account.

 

You can enable 'Login Approvals' from the 'Account Security' section of the account settings page.

 

Check out the Facebook Security Page for today's spam and security announcement.