Several months back, we covered Google’s new and much-welcomed two-factor authentication process.  As mentioned before, enabling true two-factor authentication greatly enhances an application’s security profile, a crucial step for applications as important and ubiquitous as Gmail and Google Docs.  So after being painted with a giant bull’s eye last year following Firesheep‘s debut demonstration, Facebook has followed Google’s lead and added several new security features, including two-factor authentication.

All of Facebook’s new security options have been conveniently grouped together under “Account Settings”.  There are several check boxes here, as well as a list of devices that have recently logged into Facebook with your account.

First, be sure to enable secure browsing via https connection, so as to prevent sidejacking, à la Firesheep.

The next few settings affect what actions Facebook takes when a new device attempts to log in with your account.  You can be notified when this happens via email or SMS, but more importantly, you can have Facebook require two-factor authentication by having a verification code sent to your phone.

Below that, Facebook lists the devices you’ve already approved for this account and also the last few devices that have logged in with your account.  You have the option of signing out of these devices.

These security settings are definitely a step in the right direction for Facebook, but they are still not as robust as Google’s two-factor authentication.  Unlike Google, once a device has cleared the two-factor authentication and becomes a recognized device, Facebook no longer requires a code from your phone when you attempt to log in later.  This choice was likely made for convenience, but it does mean that the second factor is nullified if someone has access to your recognized devices.  Of course, you can avoid this issue by clearing all your cookies between sessions or always opening Facebook in incognito/private browsing mode.

Also unlike Google, Facebook does not yet have a smartphone authenticator application.  This means that you will have to rely solely on SMS for the verification code if you choose to enable two-factor authentication.  If you travel beyond local cell coverage (or do not have an SMS plan outside the country), you may not be able to receive the code and log in on a new device.  Because the Google Authenticator app does not require an Internet connection, it provides a simpler and unconstrained alternative to SMS verification.

However, overall, Facebook is making admirable moves to enhance its users’ account security, and two-factor authentication ought to be adopted by many more high-traffic sites (we’re looking at you, Twitter).

You know those Facebook applications that occasionally pop up on your news feed, promising to add a “dislike” button, let you view who’s been looking at your profile, or implement some other feature that Facebook won’t ever support?  A lot of these applications are not much more than thinly disguised malware designed to harvest personal information or trick the user into participating in a click fraud scam.

Well, it looks like we’re in for a lot more of them, thanks to a new, cheap toolkit that allows users with little to no programming knowledge or experience create these malicious applications.  For the low price of $25, this application will guide you through the process of creating your own nefarious Facebook applications with promises of enormous return on investment by tricking your friends into filling out surveys for various third parties.

So remember, folks – be careful when you allow applications access to your Facebook profile – not all of them are safe, and not all of them deliver on their promises.  Personally, I haven’t installed any apps on Facebook, and I probably never will.

---

On an unrelated note, don’t forget – today is patch Tuesday!  Keep your Windows machines secure(ish) by applying those patches as soon as you can.  (Details: http://www.microsoft.com/technet/security/Bulletin/MS11-feb.mspx)