Facebook prevents unauthorized access by allowing the user to verify friends photo. If an account is logged from somewhere distant (unusual location/different computer) the user will be redirected to a identify verification page, where he will likely be prompt to identify photos of his friends. The page looks like this:

Facebook verify identity

Facebook then gives you 3 photos of a friends and 7 choices (names) for you to choose from. The 8th choice is “I don’t know” which you can choose twice.

There is also a timeout, which when it reaches 0, it asks you to try again within a few hours.

This type of verification is OK for most users, however, Facebook doesn’t take into account different types of attackers and profile settings. Facebook allows a user to keep his friend list private, meaning not even your friends can see who you are friends with, unless they are mutual, but it also allows a user to keep friends list visibly public or visible to friends only. Facebook also doesn’t take different attackers into account: those who you are friends with and those who you are not friends with.

If the person logging in into your account is your friend on Facebook

If your friend list is public or public to friends only

The attacker could open a different browser, login with his personal detail, and self check his friend list to search for each name Facebook listed on the photo. If he finds the match, he selects, and goes to the next photo.

If the person logging in into your account is not your friend on Facebook

If your friend list if public

The attacker could simply login into any of his Facebook account and query the user’s friend with the given name listed by Facebook.

Timeout

I have not figured out the timeout Facebook has to deny your response, however, I was fast enough to do so, and I have not being locked out.

Solution that could fix that

Facebook should first check whether the user’s friend list is set to private, and if so, then ask the user to verify friends identity, otherwise, skip the identify verification page and verify some other way.

Facebook users should keep their friend list private. Go to your Friends tab, and select “Edit Privacy” and change “Who can see your friends list?” to “Only me”.

I have not being able to trigger the verify friend’s identity page anymore, since I am not really sure on how and when exactly Facebook triggers that page. I tried logging with into my account with Tor, and from my phone removing authorization for that login but no success. It happened to me twice, randomly.