While on vacation last week, I had a fru…

While on vacation last week, I had a frustrating experience with Facebook that demonstrated how “security theater” annoys legitimate users without actually increasing security.

Since I had no proper Internet connection, I was using my phone to access Facebook, which worked fine. However, I also had my Kindle with me, so I decided to try its “experimental” Web browser to see if it would be a usable way of interacting with Facebook.

To my surprise, my attempt to log in failed; Facebook instead presented a message telling me that I was trying to log in from an unfamiliar location (by which it actually meant an unfamiliar device), and that my account had therefore been locked out. This was no problem, it reassured me: all I had to do was log in from my usual desktop computer and confirm that this activity was OK.

But this was a problem, since my desktop computer was a three-hour drive away. Did it not occur to the Facebook developers that I might be logging in from an “unfamiliar location” precisely because I didn’t have access to my desktop computer?

I was now completely unable to access Facebook, even from my phone, because of this account lockout. I wasn’t willing to put up with this, though, so after a lot of experimenting and Googling, I figured out how to tether my phone to my laptop using Bluetooth, essentially using the phone as a wireless access point. My data plan doesn’t officially support this kind of usage, so I didn’t want to risk extra fees by doing it too much; but I figured I could do it long enough to get to Facebook.

I was successful in logging in using my laptop. To reactivate my account, all I had to do was respond to a CAPTCHA and then click a button confirming that I recognized the recent activity they’d flagged as suspicious. I was back in, and now I could access Facebook from any of my devices.

My question is, what did this accomplish, other than infuriating me and forcing me to go through ludicrous hurdles to restore my account? Any suspicious person who might have tried to access my account from an “unfamiliar location” — using my user ID and password! — could have unlocked the account as easily as I did, or even more easily, since they probably would have had access to a desktop computer. (Despite what it claimed, Facebook wasn’t paying the slightest attention to my location, only what kind of device I was using.)

I’ve never encountered this kind of behavior from any other site, but beware: if you ever have any plans to access Facebook from a new kind of device, you’d better try it while sitting next to your regular computer before you go on the road.

Advertisements