Exploring Facebook’s New Social CAPTCHA Authentication

Facebook rolled out the “social CAPTCHA” mechanism authentication mechanism, based on the approach described in Facebook’s Using Social Information for Authenticating a User Session patent. While CAPTCHA is traditionally used to distinguish between humans and bots, Facebook’s method is designed to distinguish legitimate users from impostors. It does this by asking questions about the user’s social network.

Facebook prompts the user to authenticate using the “social CAPTCHA” approach if the site notices an anomaly in the way the person is logging in. In one such case, Facebook states: “You are signing in from a location we’re not familiar with. For your protection, please take a moment to answer a few security questions.” The user is then presented with an option to answer their predefined secret question or to identify photos of their friends.

If the user selects the photo option, they are asked to successfully tag photos of 5 friends. Facebook presents one or two photos of a friend per page, and lists 5 multiple-choice options of that person’s name; each choice is a name of the user’s Facebook friend. The user needs to select the name of the pictured friend to proceed.

Facebook began using the new authentication mechanism without any fanfare a month or two ago, as was witnessed by individuals who traveled across countries. Facebook announced that it will use this method as an additional authentication factor for some sensitive transactions, such as attempts by users to download an archive of their Facebook data.

Here is an example for Facebook’s “social CAPTCHA” in action. I obscured people’s faces and names—the faces and names actually displayed on Facebook aren’t obscured:

The user is allowed to skip 2 challenges. That’s good, because sometimes picking the right name can be tricky.

For instance, the friend might not be in the picture at all (presumably the person lives in the house pictured here):

Or the friend can be pictured from behind:

It’s great to see Facebook providing an innovative way to authenticate users beyond asking the standard “mother’s maiden name” questions in situations where a mere password is insufficient.

The photo-based “social CAPTCHA” feature means that by incorrectly tagging people, users of Facebook undermine others’ chances at correctly answering the photo challenges. It also means that you should be careful when “friending” people if you don’t know them or, at least, if you don’t know how they look.

The new authentication mechanism increases the value of social data to attackers. I won’t be surprised if we start seeing phishing scams that ask people not only their names, but also information about their social network.

Update 1: Thanks to Dominic White for pointing out that the “social CAPTCHA” authentication mechanism is already live!

Update 2: Facebook used the social authentication mechanism in January 2010 to shield Tunisian users of Facebook.

Lenny Zeltser

Updated

About the Author

Lenny Zeltser is a seasoned business and technology leader with extensive information security experience. He builds innovative endpoint defense solutions as VP of Products at Minerva. He also trains incident response and digital forensics professionals at SANS Institute. Lenny frequently speaks at industry events, writes articles and has co-authored books. He has earned the prestigious GIAC Security Expert designation, has an MBA from MIT Sloan and a Computer Science degree from the University of Pennsylvania.

Learn more