back to article Facebook introduces one-time passwords

Facebook began rolling out new service on Tuesday that allows people using public computers to log into the site without having to enter their regular password. Instead, users can login with a one-time password that, upon request, Facebook zaps to their mobile phones. The temporary access code is good for 20 minutes only. The …

COMMENTS

This topic is closed for new posts.
  1. Geoff Campbell Silver badge
    Boffin

    Good idea

    It'll be interesting to see how well it works in practice, though. I eventually disabled the similar SMS-based security on my PayPal account because the SMS delivery was just too patchy. 5-10 minutes is fine for a joke from a mate, a bit less fine if you are awaiting a password. And then occasionally they'd take 3-4 hours, which was fun.

    GJC

    1. Geoff Campbell Silver badge
      Alien

      Downvoted for that?

      Hello? Mother, is that you?

      GJC

  2. The Indomitable Gall

    Johnny 5 need input...

    ...like in what country?

    I doubt the number will be same worldwide....

  3. Paul_Murphy
    Joke

    I know.. I know .. I've got one..

    How about this?

    Every 5 minutes every Facebook user will be sent a sms message asking them a general knowledge question - if they get 4 wrong in any 45 minute period their account gets suspended until they get 6 right in a row.

    If we also alternate sms messages with email we can make sure that users never leave their computers.

    Oh Oh and we'll say it helps security.

    Also each day we will send each user a sms copy of the facebook user manual with the latest version of the security settings appended.

    ttfn

    is this a joke? i can't tell any more. ;-(

  4. \\\

    The cynic in me

    thinks that this is just a ploy to gather more telephone numbers to calculate connections between random people.

  5. Patrick O'Reilly

    Deadly Idea

    Internet cafe's scare the bejeepers outta me, so this is a great idea.

    Might be better tho to have it as part of the mobile site, otherwise all one partner has to do is lift the others phone from the nightstand and pop in their email address to get access all the pokes their husband is sending to his mistress

  6. Tom_

    I've been asking my bank to do this, but better

    Log in to my account from a trusted computer.

    Use a specific page to create a few one time full access passwords.

    Use a specific page to create a read only access password.

    From an untrusted computer, use the read only password if I just need to check my balance or use a one time password if I need to make any changes or perform any transactions.

    Don't allow one time passwords to be created if I'm logged in on one.

    1. Anonymous Coward
      Anonymous Coward

      I'm not a shareholder...

      ...but LloydsTSB have a nice, light touch, system to stop my bank account being cleaned out. On most paranoid setting I can only set up a new payment (payee) if I'm sitting next to my land line or if I prefer, my mobile, with a one time password system.

    2. Anonymous Coward
      Anonymous Coward

      No title reqd

      This.

      This is exactly what banks should have. Though it would be nice to have a standard read-only password instead of a single use one, as the vast majority of the time I'm just checking balances.

  7. sam 19
    Thumb Down

    Fantastic.

    Now instead of worrying that i've left my computer unlocked when I leave my desk in a hurry i've got to remember my phone because the worst that can now happen isn't that i get a new Furry Pink desktop background but that my Facebook Status is changed to "wishes sister was hotter so last night would be more to brag about" ....

  8. Anonymous Coward
    Anonymous Coward

    intended to give users more control over their accounts

    Dont think so, it looks more like a way to collect phone numbers so they can sell them on to 3rd parties, (al la google mail).

  9. Colin Miller
    Thumb Up

    Use WAP to get one-time password?

    A better way would be to use WAP or a very basic HTML web-site. You log into this on your mobile with your normal password (preferably using HTTPS), and obtain the one-shot password; the site logs you off immediately after presenting the password.

    This way you get the password quickly, but avoid the extravagant data-usage bills most mobile operators charge you.

    Where's the side-ways pointing thumb-logo when you need it?

  10. Richard Morris
    FAIL

    Mobile One Time Passwords

    Surely the better way would be to introduce Mobile One Time Passwords - http://motp.sourceforge.net/.

  11. Anonymous Coward
    Anonymous Coward

    Good idea

    Brill, in fact.

    1. Anonymous Coward
      Flame

      Right Brilliant new way to steal your info

      Title says it.

  12. Neil CM Burns
    Thumb Up

    works here

    just tried it, took 2 mins from me sending, to getting a pw texted back.

    I am in the UK, for those who are not and finding the service not working for them yet.

  13. The Fuzzy Wotnot
    Stop

    Stop the BS!

    A nice idea but don't give me that crap that they care about you or your data! OK they do care, but only so much as they don't want to lose all that lovely personal data they can sell off later by people dropping accounts and creating new ones when their accounts get hijacked!

  14. Graham Marsden

    Just a cynical question...

    ... will the message to your mobile be free, or is there going to be a "small fee" to cover "administration" or some such?

    1. ratfox

      Indeed

      This is easy in the US where the person receiving an SMS pays for it, but in the UK, it is usually not the case... Will Facebook really spend money to send SMSs to people whenever they want?

      1. MacroRodent
        Boffin

        no cost really

        "Will Facebook really spend money to send SMSs to people whenever they want?"

        Individual SMS'es cost next to nothing if you can arrange some kind of bulk deal with a mobile operator. It's only the normal consumers that are fleeced. There are even some web sites that allow sending free SMS:s.

        I wonder about the strange US billing mentioned. I mean, could an attacker SMS-bomb someone into bancrupty? I guess this is one of the reasons why SMS became populular much later in the USA, than in Europe.

  15. Anonymous Coward
    Anonymous Coward

    Kerrr-ching!

    Just in case you were too miserly to hand us your mobile number, here's a fun new reason to do the right thing! Coming soon: a useful new FREE service have your newborn's DNA analysed* - get ready for the login of the future!

    *May be shared as widely as possible with any 3rd parties prepared to pay top dollar.

  16. stevanikof

    Flaw?

    So as a lot of people are on facebook then, if I access an unguarded/unlocked phone I can,

    - send "otp" to the access number

    - check or compose an email on the phone to get email address (which is most likely the facebook login)

    - take password once reply comes in

    - off I go to a computer to steal private info

    No?

  17. Anonymous Coward
    FAIL

    Ridiculous

    So I get a one-time password on a public machine. Person next to me steals my cookie, hijacks my session, whatever. Goes Account->Settings->Change Password. Oh, they now have permanent access to my system.

    False sense of security. Meanwhile Facebook goes about adding new privacy "options" which by default are set to "Everyone" every month. C***s!

    1. Fenwar

      ... except they need your real password to change it.

      (I'm *assuming* that that bit isn't going to work with a one-time password.)

  18. Anonymous Coward
    Anonymous Coward

    lol

    "The feature is available to select Facebook users for now. Over the next few weeks, it will gradually become available to everyone."

    I've heard that lie before.

    I haven't seen a new feature turn up on my Facebook account for at least the last 6 months. Every time they announce one I dutifully wait for it and.... nothing.

    Perhaps removing a bunch of the default Facebook apps broke it lol.

    Who's going to use this new feature anyway? Privacy conscious Facebook junkies? lolwut?

  19. Bob 18
    Stop

    Re-Inventing the Wheel

    Why not just implement RSA SecureID-type two-factor authentication on your mobile phone, instead of on a keytag dongle? This stuff has already been worked out, no need for Facebook to re-invent the wheel here.

  20. MinionZero
    Big Brother

    @Facebook Corporation

    @"We're launching one-time passwords to make it safer to use public computers in places like hotels, cafes or airports"

    B.U.L.L....S.H.I.T!!! Facebook, you lot are doing to get access to everyone's mobile phone numbers. This way Facebook will know exactly what everyone's latest phone number is and can keep confirming its up to date. This feature is nothing more than a carrot on a stick so to speak to guarantee access to everyone's latest phone number. That in turn greatly helps confirm who people really are as Facebook works with governments who trawl everyone's Facebook posts.

    So this little service is nothing more than a way to give a guaranteed identity to make government profiling of everyone on Facebook far more accurate.

    So another day and another step towards more state spying. Time to turn up the heat again on that poor old boiling frog again. :(

    1. Framitz

      The title is required . . . blah, blah.

      I do believe you have hit the nail on the head.

      We all know by now that faceplant doesn't do ANYTHING that doesn't benefit THEM.

      One more piece of personal information owned and for sale by faceplant.

      Above is MY OPINION only, but I do believe it.

  21. Jim Carter
    WTF?

    Remote log-off?

    B3ta has been doing that for years now. Very useful if I leave myself signed in anywhere after a bash. Which is quite often, considering how drunk I get.

  22. Anonymous Coward
    Anonymous Coward

    On the rob?

    The principle of one-time passwords might be a good one, but is that really the motivation here.

    If I was facebook, I'd really want everyone's mobile phone numbers - and these creeping little devs, marketed as a security blanket, do just that. It's surely a pure commercial plan.

This topic is closed for new posts.