Passwords suck. Security questions are a joke. Two-factor? Hah. Web authentication is frustratingly broken. Over the past year, Facebook engineers have been experimenting with various attempts to supplement "Something you know" with "Someone you know". A year of iteration and usage by millions of real world users has taught us a great deal about this new approach to authentication. This talk will demonstrate the implementations we've come up with and share much of what we've learned along the way: where it works, where it doesn't, and where it falls apart spectacularly.