Facebook Introduces One-Time Passwords 215
angry tapir writes "Worried about logging into Facebook from a strange computer? There's now a way to get into the popular social network without entering your regular Facebook password. It's called a temporary password. To use it, users must list their mobile phone numbers with their Facebook accounts. They can then text a number from their phones and Facebook sends back a temporary password that is good for 20 minutes. The service will be available worldwide in the next few weeks."
Great idea. (Score:5, Insightful)
Now can we please get one-time credit card authorisation?
Real advantage over SSL? (Score:5, Insightful)
Re:Phone Theft. (Score:3, Insightful)
makes sense (Score:5, Insightful)
but that limited password better come with limited privledges to protect the account from getting jacked.
Re:Real advantage over SSL? (Score:5, Insightful)
Re:makes sense (Score:3, Insightful)
agreed, you should not be able to change your e-mail/password/privacy setting with it.
Re:Real advantage over SSL? (Score:5, Insightful)
Sometimes there's a conspiracy.
Sometimes you just really don't understand.
If you think this has anything to do with SSL, guess which camp you're in?
Re:Real advantage over SSL? (Score:4, Insightful)
One more vector of information which can be correlated to you, spammed, sold, analyzed, or mined.
People won't know all of the ways this could be a bad idea until it's way too late -- same with most of Facebook and privacy. Give everything away and hope for the best, or don't use it at all ... and still hope for the best.
Re:Real advantage over SSL? (Score:5, Insightful)
they've always cared about user privacy...just not in the traditional sense of protecting it.
Re:Great idea. (Score:3, Insightful)
Swedes see movies in actual theaters? I assumed everyone just torrented everything.
Re:Phone Theft. (Score:3, Insightful)
This is why my phone has a PIN on it and can be remotely wiped. Actually this isn't why. I'm a lot more worried about the banking app, my address book, my calendar and probably a dozen other things... This is a nice tangential benefit to having a PIN and remote wipe on my phone. Seriously though. You think the first thing someone is going to do on stealing your phone is see if they can use it to get into your Facebook account?
Re:Real advantage over SSL? (Score:3, Insightful)
In this case it could be both. I mean, it's a really good system for protecting your password, but it also gives your cell number to Facebook which they really like. If you use a lot of public computers this becomes kind of a win-win. You get increased security, Facebook gets your number. If I want to access Facebook and I have my phone I use the Facebook app, so for me this isn't very useful.
Re:Phone Theft. (Score:4, Insightful)
And facebook gets your cellphone number. Good thing that fb is a reputable company ran by people of high integrity who would never abuse that information.
RSA Encryption (Score:4, Insightful)
What they really need to do is add RSA Encryption to the account, then create an app for iPhone to get the key from. they could also create a dongle that people buy from for $6.95 and that way their accounts will be encrypted, and issue is solved. This is pretty much what Blizzard did with their WoW accounts.
Re:RSA Encryption (Score:4, Insightful)
I regret to inform you that you have absolutely no idea what you are talking about. There is absolutely no encryption going on with your WoW account, let alone something as complex as RSA Encryption.
There is an additional password, generated from a hardware dongle, which is required for you to log in, but it is simply a password, not an encryption key. Once it has been successfully provided, the rest of your traffic is identical to traffic on an account without an authenticator. Your account is not "encrypted". You have a second password. Nothing more, nothing less.
Re:Phone Theft. (Score:3, Insightful)
And facebook gets your cellphone number. Good thing that fb is a reputable company ran by people of high integrity who would never abuse that information.
How? It's a serious question. I had my phone number listed already, never saw any drawbacks. Of course, it can be abused, mostly by users, but that's when "don't be stupid" kicks in - don't befriend random people you know nothing about, adjust your privacy settings, etc. So how is Facebook going to abuse this information?
Or just (Score:1, Insightful)
CHARGES TO YOUR CELL PHONE BILL! (Score:4, Insightful)
Be carefull putting your mobile number in Facebook. I currently work for one of the worlds largest mobile telecoms as a CSR, and we just had a bit of training where we learned that your cell phone bill can be charged by a 3rd party game if you click and play the wrong one. Every day I remove "mobile download" 3-rd party charges because there is little obvious warning about playing some game will add a 9.99 monthly subscription because they where able to retrieve your cell phone via FB.
It's just getting worse, I wish there was a better way to educate people. Not because I care about people, but because I'm tired of having to remove the subscriptions ten times a day every day lol.
Re:Phone Theft. (Score:3, Insightful)
The scary Facebook lack of privacy is highly exaggerated. I've had my number listed on my profile page for over two years now. I don't do anything out of the ordinary other than keep my info private to my friends only. Amazingly, nothing bad has happened because I listed a phone number on my page that I actually want people to have.
Re:Having to remember even more passwords (Score:4, Insightful)
Well, few reasons.
1) Merchants love it because the customer gets stiffed with the charges (you can't chargeback a merchant if it was done via 3DS (3D Secure, aka Verified by Visa and MasterCard's equivalent). I only do VBV on a merchant I know. Unknown merchants, I'd probably trust Paypal a bit more.
2) It seriously screws up with NoScript. I keep forgetting to enable the 3rd party site which usually results in screwing up the checkout process.
3) It makes it harder to do "one-click shopping". If you're a merchant that gets a lot of impulse buys, the more steps betwen "I want it" and "We got your order, it'll be shipped soon!" is more chances the user will cancel the order prior to completion. (And this is a very important point)
4) It's extremely insecure, and can offer a great way to phish. Heck, we've got previous Slashdot articles on the subject. Why "Verified by Visa" system is insecure [slashdot.org] and Net Shoppers Bullied into "Verified by Visa" program [slashdot.org].
5) Forgetting your password can get your credit card locked out.
Quite honestly, 3DS is just another form of Wish-it-was two-factor [thedailywtf.com] security. It pretends to be more secure, but in reality it isn't.
There are two ways to do it properly - you could SMS people a password, but that screws with people like me who don't always carry their cellphone around, or perhaps build in an RSA key thingy inside the card itself. Chip cards (which have their own issues - really - the PIN's in the chip and the chip sends an "OK" or "Failed PIN" response - not any form of challenge-response packet to the bank, who should know your PIN, not your card) have powerful enough processors to do some RSA token like task. Given we can buy a calculator for under a dollar, there's no real reason why we can't have credit cards with two-factor support on them (and no PIN needs to be stored - the card will generate a code based on the entered PIN which the bank can validate).
Re:Alternative Solution (Score:3, Insightful)
New Facebook hacking technique (Score:3, Insightful)