How Facebook checks your account is not fake (and keeps legitimate users out)

Facebook has been boasting not only the most users for a social networking site, but also the most “quality” users (ie less fake users).

How can Facebook achieve that?

First they’ve been actively purging fake accounts.
More recently they started testing your knowledge of your own friends.
Because everybody knows you know well all your friends on Facebook right?

This feature is disguised as a way to check that your account is not being accessed by an unauthorized person logging from a unrecognized computer.
It happens if you try accessing your account while traveling, and logging from a location you never logged from before.

Not only you will be asked for a Captcha, but Facebook will present you a set of 7 photos where your friends have been tagged, and you will have to recognize them.

You can only skip 2 questions so you better know your friends well, and be lucky enough to be shown photos with an actual face on it.

Especially when they start asking you questions on tagged pictures like those ones:

Try it yourself by logging from a friend’s computer or from a computer abroad and test your knowledge of your friends.
It’s fun, especially when you get yourself locked out of your own account and have to wait one hour to try it again.

Detailed flow

First you’re being asked to enter a Captcha:

Facebook login verification using photo tagging

Then you are tested on your knowledge of your friends’ pictures:

Facebook login verification using photo tagging

It reads:

In order to proceed, Facebook needs to verify that you are the owner of this account. To do this, please identify the people tagged in the following series of photos.
To pass, you cannot get any answers wrong. If you aren’t sure about a question, please skip it. You can only skip two questions.

If you fail, you get this:

Facebook login verification using photo tagging

Please come back in a little while
Your answers were not accurate enough.
For security reasons, you are only allowed to authenticate your identity once every hour. Please come back then to try again. Sorry for the inconvenience.

If you succeed after having failed previously, you will be shown the recent login attempts to review.

Facebook login verification using photo tagging

Please review recent activity on your Facebook account
Your account was recently accessed from a location we’re not familiar with. Please review the activity details below.
If anything looks unfamiliar, we’ll help you change your password (this will help prevent people in the future from accessing you account without permission).
Do you recognize the account activity listed above?

Note the funny wording about preventing people from the future to access your account. Ambiguous. What if I want my future self to access it?

Is it too much?

Although these extensive security measures really do their job of keeping unauthorized persons to access your Facebook account, aren’t they a bit too much?

Wouldn’t a more classical method combining a Captcha and an email with a link to confirm you identity be enough?
Here you have a Captcha, plus a series of 7 pictures with friends tagged.
You cannot make any mistake, you can only skip two questions.
It is overkill for user identification.
Hence the underlying reason behind this flow is more for fake user account determent than really protecting your account from unauthorized logins.

Maybe at some point the only way you will be able to add a friend on Facebook will be to go through 7 random pictures with and without your candidate friend on it and you would have to tell if he is in the picture or not.

This will certainly upset spammers using fake accounts using friends they know nothing about.
But it will also upset those real people having lots of friends because they are just over eager to add more.

We all have one of those friends, don’t we?
You know, those with more than 1,000 friends you always wondered how they know so many people (and they probably don’t).

I’m curious to know how well they would do at the photo tag test.

UPDATE Sept. 09 2010:
It seems we were right as Facebook filed to patent social Captcha. See the patent application.

110 Responses to “How Facebook checks your account is not fake (and keeps legitimate users out)”

  1. sarah says:

    the last time i tried to do this goddamn security check was at 5:33 pm and its still giving me this message: Identify photos of friends (hourly limit exceeded). if i go to skip even one question it tell me that i didn’t answer the questions correctly. this is very aggravating and stupid as all get out. if anyone has any damn solution please email me at bc im about to quit facebook all together.

  2. ashley garcia says:

    everytime I click “skip” it misses all of my questions and it says “your answers were not accurate”

  3. Raja says:

    How to open my facebook from security lock

  4. yousaf says:

    When i try login into my accounts i see this message:
    For security reasons your account is temporarily locked and

    If this account reflects your real name and personal information, please help us verify it.

    After i put my mobile number i see this message:

    To verify that you are the owner of this account, please identify the people tagged in the following photos. If you aren’t sure about a question, please click “Skip”.


    Please someone help me…thanks

  5. To verify that you are the owner of this account, please identify the people tagged in the following photos. If you aren’t sure about a question, please click “Skip”.

  6. plz help me for ths…

  7. asad says:

    fuck you faceboooook

  8. unlock my fb account

  9. skannan says:

    I want to change my security setup

  10. Shah Jee says:

    Plzzzzz Help meeee…….
    Please complete a security check… this check in which i have to tell them about Tag pictures. i dont remember any picture of my friends in which my friends are tagged.what i have to do..