This week, Facebook launched a new featured called Trusted Contacts in an attempt to discourage account hacking. Unfortunately this additional feature hasn’t necessarily addressed the aspects of their password recovery service that are the most susceptible to hacking.
The goal of the newly added Trusted Contacts is to implement an extra layer of security between strangers and personal data on Facebook; however, it still remains all too simple for savvy users to take advantage of the “Forgot Password” tool. Once a user indicate that they’ve forgotten their Facebook password, the site offers three password reset options: via Google account, email, or phone. Unfortunately this is where the effectiveness of Facebook’s security measures ends.
A user simply has to indicate that they no longer have access to the Google account, email address, or phone associated with their account, and they’ll be prompted to supply a new email address with which to reset the account. Only at this step in the account recovery process does the new Trusted Contacts feature come into play.
If a user cannot recall the answer to their custom security question, they only need to name one of the listed Trusted Contacts to proceed to the next part of the process. This grants access to the full list of Trusted Contacts, meaning that anyone who has reached this screen has the means to obtain the necessary security codes for recovering a Facebook account that may or may not belong to them.
While Facebook works out the kinks and drawbacks to this new security feature, those wary of appointing Trusted Contacts may be better off avoiding the feature entirely for the time being. The password recovery feature prompts users to answer their custom personal security questions only if no Trusted Contacts have yet been listed. This extra layer of security is an additional comfort to many members of Facebook which, despite its popularity, has done little to improve its reputation for questionable account security and privacy control.