Designing Account Security Across Our Apps

By Nathaniel Gleicher, Head of Security Policy and Jimena Almendares, Head of Support and Customer Experience


  • We’re sharing a behind-the-scenes look at how tech platforms design account security and recovery systems to help our users while keeping bad actors out. 
  • We’re rolling out new security features to help keep peoples’ accounts safe and building out our support to help if they lose access.
  • We’re also rolling out new tools and education initiatives on Messenger and Instagram to keep people safe from phishing and malware.

As we close out this year, we’re sharing a number of updates on our work to protect people around the world against various threats.

We know account security and recovery are top of mind for people, so today we are sharing a behind-the-scenes look at some of the tensions that companies like ours navigate in designing account security tools that help protect people while deterring bad actors. We’re also detailing new security features we’ve rolled out this year and highlighting why it’s critical for people to keep their contact points — like their email or phone numbers — secure and up to date to prevent one of the leading drivers of account compromise.

Applying Adversarial Design to Account Security

Since sharing our plans last year to expand our support efforts, we’ve continued to stress-test our account security and support systems to understand how bad actors might try to game them. This space is highly adversarial, which means we’re constantly thinking about how our products and our support channels may get abused; we have to keep evolving our defenses and processes in response to malicious actors trying to work around them.

This is always a tricky balance because if we tighten account security controls too much, innocent people will have a harder time using and recovering their accounts. If we are too loose with controls, bad actors will have an easier time abusing our systems to compromise people. In fact, we regularly see threat actors target the very systems we put in place to protect people, trying to get accounts taken down.

As an example of these types of controls in our account recovery support, we use a variety of signals and verification challenges to help detect suspicious activity and validate legitimate access attempts. These challenges may range from requesting a copy of a person’s ID or confirming a code sent to a device that has previously logged into the account.

Taking a Closer Look at Contact Points

Once an account recovery request is verified, platforms like ours rely on contact points — like an email address or phone number — listed in someone’s account’s settings as the primary channel to deliver support, like password reset links. Our research shows that people are two times more likely to recover their Facebook account if their contact points are up to date so we can reach them.

However, people might lose access to an old email inbox or they may switch phone numbers — this is a challenge that is recognized across our industry. We’ve also seen threat actors target those contact points to gain broad access to someone’s online accounts by using it to reset the passwords for other connected accounts – banking, social media, and others. In fact, when looking at compromised Facebook accounts, we find that one in four began with a person’s contact point being taken over.

Product and Support Updates

Our work to help people stay safe and in control of their accounts is two-fold. First, to prevent account compromise, we build systems and help people learn how to identify potentially suspicious activity across the internet. Second, to help people who experience access issues, we continue to improve our support offerings. 

Contact Point Support

We’ve built additional ways for people to get back into their accounts when they no longer have access to linked contact points. For instance, in certain cases, people can use recently removed contact points to recover access. As a result, this year we’ve helped eight times more people a day on average get back into their Facebook account than last year when they don’t have access to their listed contact points. We’re also running global in-app prompts across Facebook reminding people to confirm their contact points and exploring alternative ways to confirm people’s identity during the account recovery process on Instagram, including using their friend network.

Phishing and Malware Protection 

To help people stay safe across our apps, we’re continuing to roll out protections and educational initiatives:

  • Protections against malicious links: We know that threat actors often target groups like journalists, activists, political campaigns and businesses (among others) by sending them phishing links or malware. One measure we’ve rolled out to protect against this on Messenger uses our automated systems to direct suspicious messages if they are sent by unconnected users. As with many of our security measures, we’ll use our learnings to inform our broader strategy to protect people.
  • Instagram imposter alerts: We remove Instagram accounts that our automated systems find to be malicious, including ones that impersonate others. But because bad actors may not immediately use accounts maliciously, we’re now testing sending warnings if an account that we suspect may be impersonating someone requests to follow them. In the coming months, we’ll also send warnings if an account that may be impersonating a business sends you a Direct Message.
  • Increased Instagram verified badge visibility: We’re also expanding where the verified badge shows up on Instagram to make it visible in more places, including Stories and Direct Messages, to help people confirm that the accounts they’re interacting with are authentic and verified. 

Live Chat Support Test

While our scaled account recovery tools aim at supporting the majority of account access issues, we know that there are groups of people that could benefit from additional, human-driven support. This year, we’ve carefully grown a small test of a live chat support feature on Facebook, and we’re beginning to see positive results. For example, during the month of October we offered our live chat support option to over a million people in nine countries and we’re now planning to expand this test to more than 30 countries around the world.

Instagram Account Access Support

We’ve launched to help people to report and resolve account access issues. We’ve also rolled out a way for people to ask their friends to confirm their identity in order to help regain access to their Instagram account.

We welcome feedback from the research community and our industry peers as we all navigate balancing these various tensions in protecting people and deterring bad actors.

To help personalize content, tailor and measure ads, and provide a safer experience, we use cookies. By clicking or navigating the site, you agree to allow our collection of information on and off Facebook through cookies. Learn more, including about available controls: Cookie Policy