Facebook Introduces One-Time Passwords

angry tapir writes "Worried about logging into Facebook from a strange computer? There's now a way to get into the popular social network without entering your regular Facebook password. It's called a temporary password. To use it, users must list their mobile phone numbers with their Facebook accounts. They can then text a number from their phones and Facebook sends back a temporary password that is good for 20 minutes. The service will be available worldwide in the next few weeks."

Great idea.

[Timmmm]

Now can we please get one-time credit card authorisation?

Re:Great idea.

[Rijnzael]

BOA does this already [bankofamerica.com] if you're in the US.

Re:

[n0dna]

Discover also does this.

Re:Great idea.

[Rob the Bold]

Now can we please get one-time credit card authorisation?

Amex did this for a while about 10 years ago. I used it and liked it. Then it went away.

Re:

[barzok]

And here I thought they just buried it on the site and I couldn't find it. They completely did away with it? Jerks.

My Discover Card Does This ...

[eldavojohn]

Now can we please get one-time credit card authorization?

You mean like my Discover More Credit Card offers me [discovercard.com]?

You have the option of re-using the same one for a retailer or just continually requesting a new one if your dealings with them are infrequent or shady.

Re:My Discover Card Does This ...

[gad_zuki!]

Fry: Do you take Visa?
Clerk: Visa hasn't existed for 500 years.
Fry: American Express?
Clerk: 600 years.
Fry: Discover Card?
Clerk: Sorry, we don't take Discover.

Re:

[Mascot]

The tech has been there for years. For any online store supporting verified by visa/mastercard, I'm sent to my bank's authorization page and required to enter my security token's current code and personal password.

For whatever reason though, there are still tons of sites out there that do not support verified by visa/mastercard.

On the other hand, it's only a matter of time before we get cards with built-in token generators. At which point I would expect CC companies to start refusing transactions based on n

Having to remember even more passwords

[tepples]

For whatever reason though, there are still tons of sites out there that do not support verified by visa/mastercard.

I seem to remember some sites using Verified by Visa and then abandoning it. Perhaps they found that shoppers were abandoning their shopping carts after having set up VBV before and then forgetting their VBV username and password.

Re:

[pasamio]

The worst thing about VBV was not actually having it set up properly and then having a merchant require it compared to others that didn't. I had this happen to me when I was overseas trying to get internet and all of a sudden I got slammed by this Verified by VISA thing that wasn't setup and I could get internet to get the details I needed to get it set up (catch 22). Sounds like a good idea until it gets inconsistently applied in practice.

Re:

[Mascot]

If stores universally used it, you better believe people would start remembering their passwords.

Re:Having to remember even more passwords

[tlhIngan]

I seem to remember some sites using Verified by Visa and then abandoning it. Perhaps they found that shoppers were abandoning their shopping carts after having set up VBV before and then forgetting their VBV username and password.

Well, few reasons.

1) Merchants love it because the customer gets stiffed with the charges (you can't chargeback a merchant if it was done via 3DS (3D Secure, aka Verified by Visa and MasterCard's equivalent). I only do VBV on a merchant I know. Unknown merchants, I'd probably trust Paypal a bit more.

2) It seriously screws up with NoScript. I keep forgetting to enable the 3rd party site which usually results in screwing up the checkout process.

3) It makes it harder to do "one-click shopping". If you're a merchant that gets a lot of impulse buys, the more steps betwen "I want it" and "We got your order, it'll be shipped soon!" is more chances the user will cancel the order prior to completion. (And this is a very important point)

4) It's extremely insecure, and can offer a great way to phish. Heck, we've got previous Slashdot articles on the subject. Why "Verified by Visa" system is insecure [slashdot.org] and Net Shoppers Bullied into "Verified by Visa" program [slashdot.org].

5) Forgetting your password can get your credit card locked out.

Quite honestly, 3DS is just another form of Wish-it-was two-factor [thedailywtf.com] security. It pretends to be more secure, but in reality it isn't.

There are two ways to do it properly - you could SMS people a password, but that screws with people like me who don't always carry their cellphone around, or perhaps build in an RSA key thingy inside the card itself. Chip cards (which have their own issues - really - the PIN's in the chip and the chip sends an "OK" or "Failed PIN" response - not any form of challenge-response packet to the bank, who should know your PIN, not your card) have powerful enough processors to do some RSA token like task. Given we can buy a calculator for under a dollar, there's no real reason why we can't have credit cards with two-factor support on them (and no PIN needs to be stored - the card will generate a code based on the entered PIN which the bank can validate).

Re:

[vlm]

For any online store supporting verified by visa/mastercard, I'm sent to my bank's authorization page and required to enter my .... personal password.

Sounds like a great phishing opportunity... Thats why I don't like it. Especially since "most people" use the same password for everything.

Re:

[Mascot]

What's your point, precisely? That it's somehow worse to require extra information compared to only what's physically printed on a credit card? If so, I think most would disagree rather strongly with you. Even a simple password verification like that (which I simplified, one also needs information from birth certificate) prevents a stolen card from being used in online stores.

Obviously I prefer my bank's solution (token). But I don't think we're going to get there until the token generators are actually on

Re:

[mcgrew]

I have a LOT of phone numbers stored in my phone. This new "feature" would let me jack with any of their accounts if TFS is accurate.

Re:

[Peach Rings]

...
Having someone as a contact doesn't mean you can read their texts. Not that SMS is even remotely secure.

Re:

[CarpetShark]

Sure. Give me your card details and I'll set it up for you.

Re:

[RMH101]

What if there's another reason Facebook are doing this?
It's a good idea, but it's also one that will increase the number of people who put their mobile phone number in their facebook profile. What if Facebook were looking at leveraging this for a Facebook/Skype/Facebook-branded mobile phone OS as has been rumoured recently? It'd be very handy for them if they already had a lot of users who'd already input their numbers, so when they launched any mobile services the "dial friend" option was already worki

Re:

[dillpick6]

What happens when your phone gets stolen? I wouldn't them to have my phone and access to things like my email and facebook, let alone my credit cards and bank accounts. This seems even more risky considering the chance most smart phones could be hacked or some app on the phone turns out to be malicious.

Re:

[mikael_j]

The downside to these one-time cc numbers is that some american (I've yet to see a swedish company deny these numbers) companies tend to deny them. I had that problem with Blizzard when it came to WoW upgrades, I could pay for game time but for game upgrades my purchases were denied...

Re:

[narooze]

There is at least one Swedish company that does deny them, SF Bio (the largest movie theater chain in Sweden). However, in their case there is a good reason; to get the tickets you've bought online with your credit card you have to swipe the same card in their ticket printing machines. You could definitely come up with another way to get the tickets once they are bought, but as long as you have to have the credit card with which you paid to get the tickets, one-time cc numbers are probably out of the questi

Re:

[pspahn]

Swedes see movies in actual theaters? I assumed everyone just torrented everything.

texting

[Theoboley]

867-5309 will give you a password of "Jenny"

yeah, just give us your phone number

[YouWantFriesWithThat]

i am sure that there is no chance that they were scraping around for an excuse to collect cell phone numbers from their users. adding that very unique information to their already massive database on every user will make it much more valuable. as i tell my friends, it's just a pyramid scheme. you get a free website with communication tools bolted on and they get to know everything about you and will sell it to whoever they want.

Re:yeah, just give us your phone number

[TheKidWho]

I don't think you know what a pyramid scheme is...

Re:

[ByOhTek]

Yes, he most definitely does not, however the rest of the GPs post does seem to be reasonable.

Re:yeah, just give us your phone number

[baKanale]

That's the one where they steal your cellphone number, and use it to track your movements, then wait until you're all alone and kidnap you, taking you to the desert and forcing you to build giant pyramids all day, right?

Re:yeah, just give us your phone number

[TheKidWho]

I don't think you know what a Pyramid scheme is either...

Let's wikipedia it:

A pyramid scheme is a non-sustainable business model that involves promising participants payment primarily for enrolling other people into the scheme, rather than from any real investment or sale of products or services to the public. Pyramid schemes are a form of fraud.

What you're describing on the other hand is just exploitation.

if you can't see how this pertains to facebook then you are too dull to be helped.

I've never heard that one before.

Re:

[nedlohs]

So you are claiming that face book somehow pays the people who were in early with the personal data of those who got in later?

Or you are ignorant of what a pyramid scheme, and too retarded to know that responding to a correction on a topic you are ignorant about is foolish.

   

Re:

[choongiri]

The key point is that for it to be a pyramid scheme, the people underneath need to think they are going to make money the more people they subscribe into the scheme. Money is the incentive. Without a doubt, facebook makes more money the more people you convince to join it, but there never was, and never will be a promise of money from facebook to you for signing people up. Therefore, it's not a pyramid scheme.

Real advantage over SSL?

[hcs_$reboot]

Yet another way for a big Internet organization to collect phone numbers.

Re:Real advantage over SSL?

[Rijnzael]

I don't think this is an attempt to prevent interception of passwords in transit over the network; I believe it's an attempt to prevent keyloggers or other nefarious software/hardware on a machine from impacting the user's privacy.

Re:Real advantage over SSL?

[betterunixthanunix]

Since when has Facebook started caring about user privacy? This is, as noted, an attempt to get more people to divulge their cell phone numbers.

Re:Real advantage over SSL?

[JustOK]

they've always cared about user privacy...just not in the traditional sense of protecting it.

Re:

[gparent]

Or maybe they just want to help people who login from school computers, "Free WiFi" places, and such?

Oh wait nevermind, you're right. All your phone numbers are belong to them, 9/11 was a hoax, we never landed on the moon, the titanic was bombed. *Salutes* Sir! Yes! Sir! Carry on!

Re:

[suso]

Facebook caring about user privacy? Pulease!

Re:

[Sancho]

It's not about privacy--it's about keeping the people behind the account as the account owner so that aggregated information about that person/account remains accurate.

Re:

[sinclair44]

How exactly are phone numbers useful to them?

Re:

[silverglade00]

*RING* Hello?
This is an automated call from Farmville reminding you to harvest your crops. Farmville would also like to remind you that you can get a free Special Edition Purple Cow!!!11!!!ZoMg! for your farm just for trying out the new Facebook Mastercard...

Re:Real advantage over SSL?

[gstoddart]

How exactly are phone numbers useful to them?

One more vector of information which can be correlated to you, spammed, sold, analyzed, or mined.

People won't know all of the ways this could be a bad idea until it's way too late -- same with most of Facebook and privacy. Give everything away and hope for the best, or don't use it at all ... and still hope for the best.

Re:

[bball99]

won't matter if you use a throwaway phone - all my phones are $4.88 from Dollar General or the local FYE

Re:

[xaxa]

Until one of your Facebook friends wants to contact you, and uses the number you've listed on Facebook.

(Since this integrates very well with my HTC Android phone I use this all the time without realising it.)

Disadvantage of dumbphones

[tepples]

all my phones are $4.88 from Dollar General or the local FYE

BREW phones like these tend not to have a wide variety of applications because the BREW application development process has substantial entry barriers against small developers. It's even more expensive than the iPhone developer program. So you'd end up carrying two phones, each with its own service plan: a smartphone to run apps and a dumbphone for anonymity.

Re:

[Theoboley]

are those the ones that come with the candy inside?

Re:Real advantage over SSL?

[tgd]

Sometimes there's a conspiracy.

Sometimes you just really don't understand.

If you think this has anything to do with SSL, guess which camp you're in?

Re:

[DrgnDancer]

In this case it could be both. I mean, it's a really good system for protecting your password, but it also gives your cell number to Facebook which they really like. If you use a lot of public computers this becomes kind of a win-win. You get increased security, Facebook gets your number. If I want to access Facebook and I have my phone I use the Facebook app, so for me this isn't very useful.

Re:

[Yer Mom]

Yes, but most Facebook users have already added their number to their profiles so their friends can call them...

makes sense

[sakura the mc]

but that limited password better come with limited privledges to protect the account from getting jacked.

Re:

[Rhaban]

agreed, you should not be able to change your e-mail/password/privacy setting with it.

What about privileges?

[Arancaytar]

With sufficiently complex spyware, an untrusted computer could do much damage even with a temporary access: Install applications, scrape your email, change your real password... this is only secure if the temporary access is severely restricted in what it can do with the account.

Possibly a good move

[Rijnzael]

I think this is a step in the right direction, assuming spoofing is difficult or impossible for these SMS messages (anyone care to weigh in there?). Still, my personal policy is to never login to a system which contains somewhat sensitive data from a computer that I don't fully control or whose controller I don't fully trust. Their solution seems like a workaround, while users could just stop any potential privacy violation at the source and opt not to provide their credentials via others' machines.

Re:

[camcorder]

Maybe you can live with not logging in from a "computer" that you don't fully control in your basement, but in real world, there happens to be a lot of times that you need to login through a computer (and sometimes only available ones are public). On the other hand, it's not over only with control of the computer you used as client. You need the control of the network as well.

General rule of thumb should be, never put anything secret at all to databases that could be accessed over public networks, like In

Re:

[betterunixthanunix]

What situations do you wind up in where you need to log in to an untrusted computer, and you don't have any time to go find one you trust?

Re:

[Darkness404]

Public labs at a university. While I have a hard time thinking of any time that I -need- to log into Facebook and can't just use, say, a smartphone app. There are a lot of occasions where in university you realize that there is something you need to do online (such as quickly type and turn in a paper you just remembered is due in 2 hours) but you can't trust the security of a lab computer (its pretty easy to install hardware keyloggers that just go between the PS2 or USB port and capture keystrokes) so you

Re:

[betterunixthanunix]

Perhaps, although I think that scenario says more about universities than anything else (like the fact that you have to log in to lab computers just to type a short essay). I do not find myself in that situation too frequently though, although it could just be the way I work (I usually have my laptop available).

Re:

[L4t3r4lu5]

Fire up the on-screen software keyboard. If you have any students at all who have reduced mobility in their hands / arms, it'll be on every computer across the campus.

Re:

[xaxa]

What situations do you wind up in where you need to log in to an untrusted computer, and you don't have any time to go find one you trust?

On holiday
At some point between home and the amazing party you have an invite to on Facebook, but can't remember the location of
At school/college/university

Maybe when you want someone else to log in for you, e.g. to ask someone else to look up a phone number when you aren't near a computer.

Re:

[tepples]

What situations do you wind up in where you need to log in to an untrusted computer, and you don't have any time to go find one you trust?

Traveling without a laptop, for one. Some people aren't wealthy enough to own more than one PC. Others who have purchased an iPod touch or iPad no longer feel the need to carry a laptop, but a lot of Facebook apps require Flash, which doesn't work on iPod touch or iPad. Or traveling to the home of a relative who can't or won't give you the WEP key. Or in the break room at work.

Re:

[Sancho]

but a lot of Facebook apps require Flash, which doesn't work on iPod touch or iPad.

If you need to log in to Facebook and use a flash app, you might want to consider seeking help.

Re:

[betterunixthanunix]

If Facebook now stores people's sensitive data, we are in a lot of trouble...

Stolen Phone?

[friedmud]

I wonder what happens if someone steals your phone (or just if a roommate picks it up).... can they then get into your Facebook account by requesting a one-time password?

I'm sure they've thought of this trivial case... but I wonder how they're going to handle it.

Re:Stolen Phone?

[Rhaban]

a lot of people who use have smartphones with a facebook app, so if someone steals the phone they already have access to your fb account.

Re:

[Mordaximus]

Someone who is security conscious enough to use this service, is also probably bright enough to actually secure their smartphone with a PIN.

Re:Stolen Phone?

[compro01]

If you've got a touchscreen phone, that PIN may be much less secure than you think.

http://tech.slashdot.org/story/10/08/11/128244/Touchscreens-Open-To-Smudge-Attacks [slashdot.org]

Re:

[DragonWriter]

Someone who is security conscious enough to use this service, is also probably bright enough to actually secure their smartphone with a PIN.

If they have a smartphone -- in which case, they can log into Facebook without a computer from the phone -- they probably have little need for this service. This service would seem to be most useful for people with dumb phones that use facebook from untrusted computers.

And I think it is a mistake to think that someone who uses one feature that is promoted as offering se

Re:

[Darkness404]

Like another poster said most phones already have a Facebook app. But really, that is why you have a lock on your phone if you are around people who you don't trust.

Re:

[vlm]

I don't use facebook, but obviously post that you used the service to your wall. Then when your little minions comment on how you "forgot your password this morning" ... but you didn't ... then you'll get the idea.

It would also be semi amusing to require a cellphone photo of a human as part of the password request.

Hooray!

[fridaynightsmoke]

Now nobody will ever know what you post on Facebook from an untrusted computer! Wait..

Stay calm and you won't

[Compaqt]

get hurt.

Hand over your cell phone and tell me your Facebook email.

ZeusBot

[n0dna]

"Man in the Mobile"

Smartphone variant already set to harvest OTP.

facebook: what an incredible waste of time

[digitaldc]

Hurry! I need my password to I can login and complain about my miserable life and post pictures from the bar celebrating my miserable life!

Whatever did people do before facebook? Oh yeah, they actually talked to people face-to-face and spent 'quality time' in full 3-D social interaction.

I agree, I waste so much time on Facebook

[asdfington]

I barely have time left for my Serious Business on /.!!

If none of your neighbors shares a given interest

[tepples]

Whatever did people do before facebook? Oh yeah, they actually talked to people face-to-face and spent 'quality time' in full 3-D social interaction.

There were also fewer people with whom to interact, meaning less chance of finding somebody in the same town who shares some specific interest with you.

Re:

[Ogive17]

So I guess you don't email or talk on the phone... because those both eliminate the need for face-to-face conversation. Oh, so does /.

I don't hang out with my friends nearly as much as I use to... but that's not due to facebook, that is because we're all in our 30s now and most have spouses and young children. But I am able to keep in contact with them on a daily basis, if I need.

TEXT - What is that?

[jimwelch]

I have it disabled on all 5 of my family phones. COST!

Re:

[mdm-adph]

Yeah, I do too. I just use the Google Voice app to get free texting to all 5 of my family phones! COST!

For extra-light users, prepaid is cheaper

[tepples]

their $29.99 500 minute plan

Because I use fewer than a tenth of that many minutes per month, I pay Virgin Mobile about $5 per month. COST!

Improving in the wrong direction...

[Haedrian]

When people want more security on their facebook, they usually mean protection from Facebook and other corporations - not passwords themselves.

How about fixing the lack of privacy instead?

privacy

[jDeepbeep]

Because Facebook's version of privacy is like McDonald's version of nutrition. It's not part of their formula.

Re:

[L4t3r4lu5]

Facebook have a great solution for keeping your information private.

If you don't like what they do with your data, don't give it to them. Nobody is putting a pistol to your head.

Re:

[Ogive17]

Using Facebook is 100% optional. If privacy is an issue, you don't have to give them any personal/private data.

Your temporary Facebook password

[CatsupBoy]

This message brought to you by FACEBOOK... Hungry? Try McDonald's new double Big Mac extra value meal only 4.99 at participating McDonald's

Your temporary password is:
[message part 1/2]

RSA Encryption

[Kildjean]

What they really need to do is add RSA Encryption to the account, then create an app for iPhone to get the key from. they could also create a dongle that people buy from for $6.95 and that way their accounts will be encrypted, and issue is solved. This is pretty much what Blizzard did with their WoW accounts.

Re:RSA Encryption

[Maarx]

I regret to inform you that you have absolutely no idea what you are talking about. There is absolutely no encryption going on with your WoW account, let alone something as complex as RSA Encryption.

There is an additional password, generated from a hardware dongle, which is required for you to log in, but it is simply a password, not an encryption key. Once it has been successfully provided, the rest of your traffic is identical to traffic on an account without an authenticator. Your account is not "encrypted". You have a second password. Nothing more, nothing less.

CHARGES TO YOUR CELL PHONE BILL!

[lonesome phreak]

Be carefull putting your mobile number in Facebook. I currently work for one of the worlds largest mobile telecoms as a CSR, and we just had a bit of training where we learned that your cell phone bill can be charged by a 3rd party game if you click and play the wrong one. Every day I remove "mobile download" 3-rd party charges because there is little obvious warning about playing some game will add a 9.99 monthly subscription because they where able to retrieve your cell phone via FB.

It's just getting worse, I wish there was a better way to educate people. Not because I care about people, but because I'm tired of having to remove the subscriptions ten times a day every day lol.

New Facebook hacking technique

[kheldan]

1. Steal target's phone
2. Get temp Facebook password
3. Change target's permanent Facebook password
4. ????
5. Profit!

..assuming of course that Facebook allows you to change your permanent password after logging in with a temporary password. Sure hope they thought of that.

Re:

[bilbravo]

Wouldn't stealing your phone also give them loads of other personal information? And the first thing you think of is they will have your facebook account?

Re:

[poetmatt]

if your phone is being stolen you have security problems other than facebook.

Re:

[DrgnDancer]

This is why my phone has a PIN on it and can be remotely wiped. Actually this isn't why. I'm a lot more worried about the banking app, my address book, my calendar and probably a dozen other things... This is a nice tangential benefit to having a PIN and remote wipe on my phone. Seriously though. You think the first thing someone is going to do on stealing your phone is see if they can use it to get into your Facebook account?

Re:

[Khuffie]

Umm, the whole point of this login system is not to use your original password at all. Avoid keyloggers/malware on computers you don't know/trust.

Re:Phone Theft.

[lxs]

And facebook gets your cellphone number. Good thing that fb is a reputable company ran by people of high integrity who would never abuse that information.

Re:

[Khuffie]

You don't want this feature...don't use it? Simple concept, no? Facebook already has other mobile features (ie, notification via text) if you choose to signup for them.

Re:

[molnarcs]

And facebook gets your cellphone number. Good thing that fb is a reputable company ran by people of high integrity who would never abuse that information.

How? It's a serious question. I had my phone number listed already, never saw any drawbacks. Of course, it can be abused, mostly by users, but that's when "don't be stupid" kicks in - don't befriend random people you know nothing about, adjust your privacy settings, etc. So how is Facebook going to abuse this information?

Re:

[stewbacca]

The scary Facebook lack of privacy is highly exaggerated. I've had my number listed on my profile page for over two years now. I don't do anything out of the ordinary other than keep my info private to my friends only. Amazingly, nothing bad has happened because I listed a phone number on my page that I actually want people to have.

Re:

[Rhaban]

Typically this type of login requires both the one time passwords AND your normal passwords.

No, the goal is that you can use this 1-time password on a non-trusted computer and it would not be useful if keylogged. Requiring you to also type your normal password makes no sense in this context.

Re:

[Cwix]

What if you had to text your regular password to facebook to get a one time pass.

Re:

[Rhaban]

What if you had to text your regular password to facebook to get a one time pass.

Then you would have to delete your text history every time you use this feature.

Re:

[Anonymous Coward]

More to the point, if you need your phone anyway, why don't you just browse facebook on your phone, like all my friends already do?

Re:

[hjf]

Got a better idea?

Re:

[Quirkz]

Sorry, but deleting one's account is not actually a solution for people who want to access their account.