I’ve been thinking today about user authentication and then I remembered an experience I had with Facebook.
The more I thought about Facebook’s seemingly simple login system, the more I realized it’s a major achievement of human ingenuity.
Let me explain. For most people, the login system is as smooth as butter. You enter your email address and password (or most likely have your browser autofill your info for you), and voilà!
You don’t see anything but your newsfeed or whatever page you’re ready to see next.
But the real magic is what happens behind the scenes. I would imagine most people never even encounter secondary verification prompts.
The experience I spoke of was when I was in Japan for my 30th birthday, and I tried to login to my account from a physical location very far from home.
Facebook prompted me to further verify my identity simply because it recognized an unusual location.
When this happened, the developer in me immediately began to dissect the process because I’ve never encountered such a system before (as far as I know).
Time went by and I realized through various scenarios that Facebook does a lot more than check your location.
It seems to me that Facebook has a ranking algorithm to determine the likelihood that you are you based on many different factors.
We already do this every day. When you text your friend, you expect the person answering is actually your friend.
We subconsciously verify this by the style, speed, and language of writing. Whether or not they use emotes, GIF’s and stickers, use texting abbreviations or spell out words completely. And whether or not their grammar is familiar to you, regardless of whether it’s correct.
Maybe your friend is learning your language and hasn’t quite mastered the nuances.
Similarly, you do this talking to someone over the phone or in person. Their appearance, facial features, hair color, smell, personality, expression, mood, fashion sense, height, weight, posture, energy level, speaking volume, voice, abilities and challenges… I could go on.
All of these things are subtle cues that add up to tell you parts of the whole picture, and inform you that you’re actually talking to the person you think you are.
And if something is amiss, it makes you question whether or not your friend is actually your friend. Or more subtly, it allows you to judge in a more benevolent manner that maybe they’re having an off day or wanting to spice things up.
Maybe their friend borrowed their phone and are pretending to be your friend as a practical joke?
Now that Facebook has over 2 billion active monthly members worldwide, each one with their own quirks, cultural expectations, behaviors, changing moods, personalities, and the whole range of the human experience, they have a massive and very complex problem to solve.
This type of complex authentication system to verify the right person each and every time is becoming more and more of a necessity. Despite any privacy implications, it would improve security for everyone within the ecosystem.
You’re going to need as much validation as you can get to ensure the security of nearly the entire planet.
Many of the more complex login systems I’ve worked with in the wild only check your IP address or browser fingerprint (beyond your username/password combo), and those are super easy to change.
I have a theory (which I have not verified), but it is theoretically possible. Especially given the major advances within artificial intelligence.
I believe Facebook checks the heuristics that are not so easy to change, such as patterns based on your logged-in (and maybe even logged-out) behaviors, browsing habits, and comparing distances between your login location and your most recent interaction with the Facebook ecosystem.
It may even take into consideration the likelihood of you carrying out posts to your wall or private messages to your friends.
For example, say you check into San Francisco International Airport on your way to Tokyo, Japan (an 11-hour flight). If 14 hours later, you try to login from Cape Town, South Africa (a 21-hour flight). This would be pretty unrealistic, so it may request more information.
But if you try to login from Tokyo, that very well could be a factor in verifying your identity since your new location matches the place you said you were going.
There’s more. Because of the massive presence Facebook has on the internet, it may use your browsing history (even when logged out) to factor into the scope of your behavior to identify you as a unique human being, regardless of the device or browser you’re currently using.
And if there’s an inconsistency somewhere within their massively complex formula for determining your identity, it may ask for further verification.
Never before in the entirety of human history has any technology been able to reach so many people. 1 in every 4 people on earth have a Facebook account.
Frankly, I believe Facebook has an obligation to make accounts as secure as possible, and this would definitely be one way to do it.
Regardless of whether my theory about the functionality of Facebook’s login system is true, I am impressed!