Slashdot Mirror
Facebook Introduces One-Time Passwords
angry tapir writes "Worried about logging into Facebook from a strange computer? There's now a way to get into the popular social network without entering your regular Facebook password. It's called a temporary password. To use it, users must list their mobile phone numbers with their Facebook accounts. They can then text a number from their phones and Facebook sends back a temporary password that is good for 20 minutes. The service will be available worldwide in the next few weeks."
Now can we please get one-time credit card authorisation?
867-5309 will give you a password of "Jenny"
Stupidity only gets you so far, then you've gotta try
i am sure that there is no chance that they were scraping around for an excuse to collect cell phone numbers from their users. adding that very unique information to their already massive database on every user will make it much more valuable. as i tell my friends, it's just a pyramid scheme. you get a free website with communication tools bolted on and they get to know everything about you and will sell it to whoever they want.
Yet another way for a big Internet organization to collect phone numbers.
Slashdot, fix the reply notifications... You won't get away with it...
Wouldn't stealing your phone also give them loads of other personal information? And the first thing you think of is they will have your facebook account?
Starmen.net
but that limited password better come with limited privledges to protect the account from getting jacked.
With sufficiently complex spyware, an untrusted computer could do much damage even with a temporary access: Install applications, scrape your email, change your real password... this is only secure if the temporary access is severely restricted in what it can do with the account.
I think this is a step in the right direction, assuming spoofing is difficult or impossible for these SMS messages (anyone care to weigh in there?). Still, my personal policy is to never login to a system which contains somewhat sensitive data from a computer that I don't fully control or whose controller I don't fully trust. Their solution seems like a workaround, while users could just stop any potential privacy violation at the source and opt not to provide their credentials via others' machines.
Please tell me I'm not the only one who sees this.
What if someone else uses your cellular phone, or worse, someone uses your cellular phone while you aren't aware of it? That's practically like giving anyone free access to your account.
I think the facebook geniuses are confusing the one-time-pass with the one-time-pad ... particularly in this case, they are two very different things, specifically because the pad is requires that the key be exchanged *securely*.
Typically this type of login requires both the one time passwords AND your normal passwords.
Then again, it is implemented by FB and I didn't RTFA, so it is quite possible that they intend to use the OTP without the original passwords.
Self proclaimed typo king, and inventor of the bear destroying coffee table (patent not pending).
I wonder what happens if someone steals your phone (or just if a roommate picks it up).... can they then get into your Facebook account by requesting a one-time password?
I'm sure they've thought of this trivial case... but I wonder how they're going to handle it.
Now nobody will ever know what you post on Facebook from an untrusted computer! Wait..
This is a substitute for a clever sig that fits within the maximum number of characters.
Umm, the whole point of this login system is not to use your original password at all. Avoid keyloggers/malware on computers you don't know/trust.
if your phone is being stolen you have security problems other than facebook.
Copied from windows live.
Typically this type of login requires both the one time passwords AND your normal passwords.
No, the goal is that you can use this 1-time password on a non-trusted computer and it would not be useful if keylogged. Requiring you to also type your normal password makes no sense in this context.
get hurt.
Hand over your cell phone and tell me your Facebook email.
I'm not a lawyer, but I play one on the Internet. Blog
Now can we please get one-time credit card authorization?
You mean like my Discover More Credit Card offers me?
You have the option of re-using the same one for a retailer or just continually requesting a new one if your dealings with them are infrequent or shady.
My work here is dung.
...now Facebook has your phone number.
"Man in the Mobile"
Smartphone variant already set to harvest OTP.
You can implement as many security features you want, but it won't fix human laziness and stupidity.
Hurry! I need my password to I can login and complain about my miserable life and post pictures from the bar celebrating my miserable life!
Whatever did people do before facebook? Oh yeah, they actually talked to people face-to-face and spent 'quality time' in full 3-D social interaction.
He who knows best knows how little he knows. - Thomas Jefferson
So how much will Zuckerberg be making off of the sale of all these phone numbers?
What if you had to text your regular password to facebook to get a one time pass.
You are entitled to your own opinions, not your own facts.
So if someone steals my phone they not only have my phone, they now have my facebook account. Great job Facebook!
What if you had to text your regular password to facebook to get a one time pass.
Then you would have to delete your text history every time you use this feature.
I have it disabled on all 5 of my family phones. COST!
Never trust a man wearing a coat and tie!
with facebook's regards to privacy, I wouldn't be surprised you were then weren't targeted with texted advertisements on your cell phone.
What if you have to prepend the first character of your password to the temporary one.
Doesn't help the malware all that much, if you're the kind who cares enough about security to use this and have a good password.
no password/gadgets required.
the corepirate nazi holycost is increasing by the minute. you call this 'weather'?
continue to add immeasurable amounts of MISinformation, rhetoric & fluff, & there you have IT? that's US? thou shalt not... oh forget it. fake weather (censored?), fake money, fake god(s), what's next? seeing as we (have been told that) came from monkeys, the only possible clue we would have to anything being out of order, we would get from the weather. that, & all the monkeys tipping over/exploding around US.
the search continues;
google.com/search?hl=en&source=hp&q=weather+manipulation
google.com/search?hl=en&source=hp&q=bush+cheney+wolfowitz+rumsfeld+wmd+oil+freemason+blair+obama+weather+authors
meanwhile (as it may take a while longer to finish wrecking this place); the corepirate nazi illuminati (remember, (we have been told) we came from monkeys, & 'they' believe they DIDN'T), continues to demand that we learn to live on less/nothing while they continue to consume/waste/destroy immeasurable amounts of stuff/life, & feast on nubile virgins while worshipping themselves (& evile in general (baal to be exact)). they're always hunting that patch of red on almost everyones' neck. if they cannot find yours (greed, fear ego etc...) then you can go starve. that's their (slippery/slimy) 'platform' now. see also: http://en.wikipedia.org/wiki/Antisocial_personality_disorder
never a better time to consult with/trust in our creators. the lights are coming up rapidly all over now. see you there?
greed, fear & ego (in any order) are unprecedented evile's primary weapons. those, along with deception & coercion, helps most of us remain (unwittingly?) dependent on its' life0cidal hired goons' agenda. most of our dwindling resources are being squandered on the 'wars', & continuation of the billionerrors stock markup FraUD/pyramid schemes. nobody ever mentions the real long term costs of those debacles in both life & any notion of prosperity for us, or our children. not to mention the abuse of the consciences of those of us who still have one, & the terminal damage to our atmosphere/planet (see also: manufactured 'weather', hot etc...). see you on the other side of it? the lights are coming up all over now. the fairytail is winding down now. let your conscience be your guide. you can be more helpful than you might have imagined. we now have some choices. meanwhile; don't forget to get a little more oxygen on your brain, & look up in the sky from time to time, starting early in the day. there's lots going on up there.
"The current rate of extinction is around 10 to 100 times the usual background level, and has been elevated above the background level since the Pleistocene. The current extinction rate is more rapid than in any other extinction event in earth history, and 50% of species could be extinct by the end of this century. While the role of humans is unclear in the longer-term extinction pattern, it is clear that factors such as deforestation, habitat destruction, hunting, the introduction of non-native species, pollution and climate change have reduced biodiversity profoundly.' (wiki)
"I think the bottom line is, what kind of a world do you want to leave for your children," Andrew Smith, a professor in the Arizona State University School of Life Sciences, said in a telephone interview. "How impoverished we would be if we lost 25 percent of the world's mammals," said Smith, one of more than 100 co-authors of the report. "Within our lifetime hundreds of species could be lost as a result of our own actions, a frightening sign of what is happening to the ecosystems where they live," added Julia Marton-Lefevre, IUCN director general. "We must now set clear targets for the future to reverse this trend to ensure that our enduring legacy is not to wipe out many of our closest relatives."--
"The wealth of the universe is for me. Every thing is explicable and practical for me .... I
I barely have time left for my Serious Business on /.!!
For whatever reason though, there are still tons of sites out there that do not support verified by visa/mastercard.
I seem to remember some sites using Verified by Visa and then abandoning it. Perhaps they found that shoppers were abandoning their shopping carts after having set up VBV before and then forgetting their VBV username and password.
This is why my phone has a PIN on it and can be remotely wiped. Actually this isn't why. I'm a lot more worried about the banking app, my address book, my calendar and probably a dozen other things... This is a nice tangential benefit to having a PIN and remote wipe on my phone. Seriously though. You think the first thing someone is going to do on stealing your phone is see if they can use it to get into your Facebook account?
I don't need a million points of light, just two points of multi-mode fiber and a 10 Gig-E router.
When people want more security on their facebook, they usually mean protection from Facebook and other corporations - not passwords themselves.
How about fixing the lack of privacy instead?
Or you could do like I did recently and just delete your facebook account. Problem solved. Added bonus: they don't have my cell number and can't automatically opt-me-in when they roll out their new FaceText feature.
If you're not paying for it, you're not the customer, you're the product.
While the proposed scheme may save your password from a dumb keylogger, once you log in (perhaps with a password you get on your cellphone), the (supposedly rogue) computer now has whatever it needs (e.g., a cookie) to do whatever it wishes on your facebook account. Perhaps it can't keep this access for later, but it can use it now.
So your future may be safe, but your present and past are all compromised.
What happens if you register someone else's phone number with your account?
all my phones are $4.88 from Dollar General or the local FYE
BREW phones like these tend not to have a wide variety of applications because the BREW application development process has substantial entry barriers against small developers. It's even more expensive than the iPhone developer program. So you'd end up carrying two phones, each with its own service plan: a smartphone to run apps and a dumbphone for anonymity.
Because Facebook's version of privacy is like McDonald's version of nutrition. It's not part of their formula.
Reply to That ||
Finally! Now when I am traveling around the world - which I do quite a bit, I can securely access my facebook account. That is, so long as my phone works where ever I am, and ummm, oh yeah! I need to buy a phone too.
Protip: Everyone else here is also of African descent.
Whatever did people do before facebook? Oh yeah, they actually talked to people face-to-face and spent 'quality time' in full 3-D social interaction.
There were also fewer people with whom to interact, meaning less chance of finding somebody in the same town who shares some specific interest with you.
their $29.99 500 minute plan
Because I use fewer than a tenth of that many minutes per month, I pay Virgin Mobile about $5 per month. COST!
And facebook gets your cellphone number. Good thing that fb is a reputable company ran by people of high integrity who would never abuse that information.
This message brought to you by FACEBOOK... Hungry? Try McDonald's new double Big Mac extra value meal only 4.99 at participating McDonald's
Your temporary password is:
[message part 1/2]
What they really need to do is add RSA Encryption to the account, then create an app for iPhone to get the key from. they could also create a dongle that people buy from for $6.95 and that way their accounts will be encrypted, and issue is solved. This is pretty much what Blizzard did with their WoW accounts.
Nom de dieu de putain de bordel de merde de saloperie de connard d encule de ta mere.
I'm not really sure I want facebook to have my phone number, it's like stores that have started asking for phone numbers at the checkout, they have no legitimate need for that number they just want to be able to call you to sell you things.
The amount of piracy has little to do with how often people go to the movies. You pirate a movie because you are bored or procrastinating and don't know what else to do. You go to a movie theatre for the sake of going there: It is an excuse to see your friends, eat somewhere nice, etc... Or just generally get out of the house.
Piracy could theoretically have impact on movie renting, etc... If there was a decent legal service to compete with piracy. (IE: a service to which you could log on, pay a couple of euros and get to watch the movie in good resolution... I doubt I would be bothered to fire up bittorrent just to save a few euros. But as far as I know, such services aren't available here)
You don't want this feature...don't use it? Simple concept, no? Facebook already has other mobile features (ie, notification via text) if you choose to signup for them.
Has to be said I have met new people in my town via the likes of Facebook and Twitter, one less than 5 minutes walk from my house.
Yeah, I had a sig once; I got bored of it.
Now when someone decides they want to get on my Facebook they just need to find my phone.
It is not quite the same as RSA's SecurID but it's good. I would like to see a system similar to this for all high-security web access services starting with my bank. Presently, I have just account/password plus "security question/answer" as authentication. Linking the account to a mobile phone is a great option in addition to the standard log-in.
What does this say about the state of computer security in the latter half of 2010?
1. Grab the phone from your drunk friend
2. Get a temporary password
3. Do nasty stuff with his account, including posting pictures of him in this particular moment
But nobody's gonna do that... right?
And facebook gets your cellphone number. Good thing that fb is a reputable company ran by people of high integrity who would never abuse that information.
How? It's a serious question. I had my phone number listed already, never saw any drawbacks. Of course, it can be abused, mostly by users, but that's when "don't be stupid" kicks in - don't befriend random people you know nothing about, adjust your privacy settings, etc. So how is Facebook going to abuse this information?
Obvious troll is obvious, but google "Out of Africa Theory" sometime...
And facebook gets your cellphone number. Good thing that fb is a reputable company ran by people of high integrity who would never abuse that information.
So use a Google Voice number, which includes text messaging for free.
"And -- Your phone number?" "What?" "I need your phone number." "Why?" "The computer won't let me finish without a phone number." "OK... 3." "3... what?" "Just 3. It's a very old number, been in the family for generations."
My Citibank credit cards offer this. I go online and I can get a temporary number and use that just fine.
There's always the option of not putting sensitive information out there for the world to see on Facebook, and there is always DON'T USE THE SAME PASSWORD FOR SOCIAL NETWORKING AS IMPORTANT LOGINS. But hey that is too simple, I think I'll just give Facebook another piece of information about me that can be exploited...
Be carefull putting your mobile number in Facebook. I currently work for one of the worlds largest mobile telecoms as a CSR, and we just had a bit of training where we learned that your cell phone bill can be charged by a 3rd party game if you click and play the wrong one. Every day I remove "mobile download" 3-rd party charges because there is little obvious warning about playing some game will add a 9.99 monthly subscription because they where able to retrieve your cell phone via FB.
It's just getting worse, I wish there was a better way to educate people. Not because I care about people, but because I'm tired of having to remove the subscriptions ten times a day every day lol.
Maybe we DID take the blue pill. You wouldn't remember anyway.
The scary Facebook lack of privacy is highly exaggerated. I've had my number listed on my profile page for over two years now. I don't do anything out of the ordinary other than keep my info private to my friends only. Amazingly, nothing bad has happened because I listed a phone number on my page that I actually want people to have.
I just need it for a minute, honest. I'll give it right back, after all I have some Facebook stuff I need to do.
Ideally Facebook has your real password in a hash and doesn't know what it actually is. Meaning they shouldn't be able to know the first character to be able to combine it with the temporary one. If they do know your password, they're doing it wrong.
The Quirkz Handbook of Self-Improvement for People Who Are Already Pretty Okay
Are you sure? There might be someone from a small planet somewhere in the vicinity of Betelgeuse.
The Tao of math: The numbers you can count are not the real numbers.
You think so. But in reality your phone has been added to a big botnet which tries to break the nuclear codes and start a global thermonuclear war. :-)
The Tao of math: The numbers you can count are not the real numbers.
Are YOU using the TOOL, or is the TOOL using YOU? Think about it!
Since facebook does not ever come into scrutiny for your private information, I think that giving them your name, address, birthdate, current living city, and now phone number is a great idea. Now all we need to do is give them our credit card numbers and we will be set. For a website that ensures your data stays private, would could go wrong?
The world is how you make it
you can't chargeback a merchant if it was done via 3DS
Then I guess that's one strike against Nintendo.
But seriously, is it even legal to forbid disputing a charge on grounds of item not received, not as described, defect in materials or workmanship, or other grounds listed in the credit card contract aside from use of stolen credentials?
There are two ways to do it properly - you could SMS people a password, but that screws with people like me who don't always carry their cellphone around
And with people who primarily use a landline.
I can't say for sure for these one time CC #'s, but the difference in fees for "regular credit card" vs "gift card" can be up to 100%. That means 2.5% in fees to the merchant for regular, 5% for gift card. This is to cover the perceived change of fraud. Transactions where the card is swiped vs. ones where the number is punch in manually will have different fees as well.
Of course, the merchant can just decide to deny any card that causes them higher fees. That's probably what Blizzard was doing to you.
Hollow words will burn and hollow men will burn.
Why does VISA not do the same thing, really I mean, to avoid fraud and all of that, you could use this same principle with every
account, gmail, hotmail, VISA, banking, etc....if I am smart enough to link a cell phone number to my facebook account, now it has become a norm or standard in every user's life (100 million accounts???), so now we can sway the banks and CC companies, to do the same....finally some good coming out of FB for once....hope they keep it up, and help push tech further ahead like Google does....
Giving the fantastic privacy discipline of FB.
While that is correct , it's not the whole picture : When our ancestors moved to colder areas ( like Sweden ) , they adapted to the colder climate , and as such , their evolution followed a different path .
So while everyone has a common ancestry , everyone has followed a different evolutionary path .
The result is that today's Swedes will be more resistant to cold than today's Africans . And offcourse , today's Africans will be more resistant to heat than today's Swedes .
Slipping shoelaces ?
Heh. Too bad for them my phone only has chess and tic-tac-toe installed. :-)