Amid growing disappointment with Facebook’s privacy measures, one ray of sunshine emerged yesterday. Facebook introduced a security (not privacy) improvement, one that appears to be unique among social networks and perhaps most websites requiring login. You can now set your Account so if you attempt to login from a new mobile device or computer, you will be prompted to provide additional confirmation of your identity, by answering a security question.

Kudos to Facebook for making this change. It should help customers defend themselves against compromised accounts, whether due to a known individual attempting to use your Facebook account (such as a teen’s friend doing so in a cyberbullying act) or due to cybercriminal efforts such as phishing.

Enabling the feature on your account is quite simple. When logged into your account on Facebook, click on “Account” in the upper right hand corner of your screen. This makes a drop down menu appear. From that menu, select “Account Settings”. Towards the bottom of that page’s options, you’ll see a new entry called “Account Security”. Click on word “change” next to that entry. A statement will appear, “To help keep your Facebook account as safe as possible, we can notify you when your account is accessed from a computer or mobile device that you haven’t used before.” Below that is a question you’ll need to answer:  Would you like to receive notifications for logins from new devices?” Click on “Yes” and then click “submit.”

I was amused to see that the option to Deactivate (or cancel) your Facebook account is immediately below the Account Security options. Since many of my friends and work colleagues have been discussing whether or not the value of Facebook use outweighs the perceived privacy and security risks, it seems risky on Facebook’s behalf to have placed these options so close to one another. Perhaps that’s just my sense of humor.

In the blog entry announcing the change, Lev Popov of Facebook provides details on how the security feature will work. He shows screen shots of further levels of authentication the user needs to establish, such as identifying with a name the current known devices and setting your security questions and alert preferences. When I went to my account settings, none of those additional layers were presented to me, so perhaps they are still to come. Though in the blog entry, Popov states that these options have been rolled out to all users as of Thursday (yesterday). Requiring the user to keep “checking in” on security settings is just one way I feel they got this wrong. The main issue I have is that this sort of security setting should be the default and we existing users should all be required to take this step within a time period of a week or two. New accounts should go through these steps as part of creating the account. The only time I should have to login to my Account Security settings is to add or remove or rename a device, or similar adjustments to my preferences.