Slashdot Mirror

← Back to Stories (view on slashdot.org)

Facebook Introduces One-Time Passwords

Posted by CmdrTaco on from the i-forgot-that-too dept.

angry tapir writes "Worried about logging into Facebook from a strange computer? There's now a way to get into the popular social network without entering your regular Facebook password. It's called a temporary password. To use it, users must list their mobile phone numbers with their Facebook accounts. They can then text a number from their phones and Facebook sends back a temporary password that is good for 20 minutes. The service will be available worldwide in the next few weeks."

45 of 215 comments (clear)

  1. Great idea. by Timmmm · · Score: 5, Insightful

    Now can we please get one-time credit card authorisation?

    1. Re:Great idea. by Rijnzael · · Score: 4, Informative

      BOA does this already if you're in the US.

    2. Re:Great idea. by Rob+the+Bold · · Score: 4, Informative

      Now can we please get one-time credit card authorisation?

      Amex did this for a while about 10 years ago. I used it and liked it. Then it went away.

      --
      I am not a crackpot.
    3. Re:Great idea. by narooze · · Score: 2, Informative

      There is at least one Swedish company that does deny them, SF Bio (the largest movie theater chain in Sweden). However, in their case there is a good reason; to get the tickets you've bought online with your credit card you have to swipe the same card in their ticket printing machines. You could definitely come up with another way to get the tickets once they are bought, but as long as you have to have the credit card with which you paid to get the tickets, one-time cc numbers are probably out of the question.

    4. Re:Great idea. by pspahn · · Score: 2, Insightful

      Swedes see movies in actual theaters? I assumed everyone just torrented everything.

      --
      Someone flopped a steamer in the gene pool.
    5. Re:Great idea. by dillpick6 · · Score: 2, Interesting

      What happens when your phone gets stolen? I wouldn't them to have my phone and access to things like my email and facebook, let alone my credit cards and bank accounts. This seems even more risky considering the chance most smart phones could be hacked or some app on the phone turns out to be malicious.

  2. texting by Theoboley · · Score: 5, Funny

    867-5309 will give you a password of "Jenny"

    --
    Stupidity only gets you so far, then you've gotta try
  3. Real advantage over SSL? by hcs_$reboot · · Score: 5, Insightful

    Yet another way for a big Internet organization to collect phone numbers.

    --
    Slashdot, fix the reply notifications... You won't get away with it...
    1. Re:Real advantage over SSL? by Rijnzael · · Score: 4, Interesting

      I don't think this is an attempt to prevent interception of passwords in transit over the network; I believe it's an attempt to prevent keyloggers or other nefarious software/hardware on a machine from impacting the user's privacy.

    2. Re:Real advantage over SSL? by betterunixthanunix · · Score: 4, Insightful

      Since when has Facebook started caring about user privacy? This is, as noted, an attempt to get more people to divulge their cell phone numbers.

      --
      Palm trees and 8
    3. Re:Real advantage over SSL? by bball99 · · Score: 2, Interesting

      won't matter if you use a throwaway phone - all my phones are $4.88 from Dollar General or the local FYE

    4. Re:Real advantage over SSL? by silverglade00 · · Score: 2, Funny

      *RING* Hello?
      This is an automated call from Farmville reminding you to harvest your crops. Farmville would also like to remind you that you can get a free Special Edition Purple Cow!!!11!!!ZoMg! for your farm just for trying out the new Facebook Mastercard...

    5. Re:Real advantage over SSL? by tgd · · Score: 4, Insightful

      Sometimes there's a conspiracy.

      Sometimes you just really don't understand.

      If you think this has anything to do with SSL, guess which camp you're in?

    6. Re:Real advantage over SSL? by gstoddart · · Score: 3, Insightful

      How exactly are phone numbers useful to them?

      One more vector of information which can be correlated to you, spammed, sold, analyzed, or mined.

      People won't know all of the ways this could be a bad idea until it's way too late -- same with most of Facebook and privacy. Give everything away and hope for the best, or don't use it at all ... and still hope for the best.

      --
      Lost at C:>. Found at C.
    7. Re:Real advantage over SSL? by JustOK · · Score: 4, Insightful

      they've always cared about user privacy...just not in the traditional sense of protecting it.

      --
      rewriting history since 2109
    8. Re:Real advantage over SSL? by DrgnDancer · · Score: 2, Insightful

      In this case it could be both. I mean, it's a really good system for protecting your password, but it also gives your cell number to Facebook which they really like. If you use a lot of public computers this becomes kind of a win-win. You get increased security, Facebook gets your number. If I want to access Facebook and I have my phone I use the Facebook app, so for me this isn't very useful.

      --
      I don't need a million points of light, just two points of multi-mode fiber and a 10 Gig-E router.
    9. Re:Real advantage over SSL? by Yer+Mom · · Score: 2, Informative

      Yes, but most Facebook users have already added their number to their profiles so their friends can call them...

      --
      Never mind Spamassassin. When's Spammerassassin coming out?
    10. Re:Real advantage over SSL? by Theoboley · · Score: 2, Funny

      are those the ones that come with the candy inside?

      --
      Stupidity only gets you so far, then you've gotta try
  4. Re:yeah, just give us your phone number by TheKidWho · · Score: 4, Informative

    I don't think you know what a pyramid scheme is...

  5. Re:Phone Theft. by bilbravo · · Score: 2, Insightful

    Wouldn't stealing your phone also give them loads of other personal information? And the first thing you think of is they will have your facebook account?

    --
    Starmen.net
  6. makes sense by sakura+the+mc · · Score: 5, Insightful

    but that limited password better come with limited privledges to protect the account from getting jacked.

    1. Re:makes sense by Rhaban · · Score: 2, Insightful

      agreed, you should not be able to change your e-mail/password/privacy setting with it.

  7. Re:Please tell me this isn't serious... by Anonymous Coward · · Score: 2, Informative

    More to the point, if you need your phone anyway, why don't you just browse facebook on your phone, like all my friends already do?

  8. Re:Stolen Phone? by Rhaban · · Score: 3, Informative

    a lot of people who use have smartphones with a facebook app, so if someone steals the phone they already have access to your fb account.

  9. Re:yeah, just give us your phone number by TheKidWho · · Score: 4, Informative

    I don't think you know what a Pyramid scheme is either...

    Let's wikipedia it:

    A pyramid scheme is a non-sustainable business model that involves promising participants payment primarily for enrolling other people into the scheme, rather than from any real investment or sale of products or services to the public. Pyramid schemes are a form of fraud.

    What you're describing on the other hand is just exploitation.

    if you can't see how this pertains to facebook then you are too dull to be helped.

    I've never heard that one before.

  10. My Discover Card Does This ... by eldavojohn · · Score: 2, Informative

    Now can we please get one-time credit card authorization?

    You mean like my Discover More Credit Card offers me?

    You have the option of re-using the same one for a retailer or just continually requesting a new one if your dealings with them are infrequent or shady.

    --
    My work here is dung.
    1. Re:My Discover Card Does This ... by gad_zuki! · · Score: 4, Funny

      Fry: Do you take Visa?
      Clerk: Visa hasn't existed for 500 years.
      Fry: American Express?
      Clerk: 600 years.
      Fry: Discover Card?
      Clerk: Sorry, we don't take Discover.

  11. Re:Possibly a good move by Darkness404 · · Score: 2, Interesting

    Public labs at a university. While I have a hard time thinking of any time that I -need- to log into Facebook and can't just use, say, a smartphone app. There are a lot of occasions where in university you realize that there is something you need to do online (such as quickly type and turn in a paper you just remembered is due in 2 hours) but you can't trust the security of a lab computer (its pretty easy to install hardware keyloggers that just go between the PS2 or USB port and capture keystrokes) so you end up logging into an unsecured machine.

    --
    Taxation is legalized theft, no more, no less.
  12. I agree, I waste so much time on Facebook by asdfington · · Score: 2, Funny

    I barely have time left for my Serious Business on /.!!

  13. Re:Phone Theft. by DrgnDancer · · Score: 2, Insightful

    This is why my phone has a PIN on it and can be remotely wiped. Actually this isn't why. I'm a lot more worried about the banking app, my address book, my calendar and probably a dozen other things... This is a nice tangential benefit to having a PIN and remote wipe on my phone. Seriously though. You think the first thing someone is going to do on stealing your phone is see if they can use it to get into your Facebook account?

    --
    I don't need a million points of light, just two points of multi-mode fiber and a 10 Gig-E router.
  14. Improving in the wrong direction... by Haedrian · · Score: 3, Interesting

    When people want more security on their facebook, they usually mean protection from Facebook and other corporations - not passwords themselves.

    How about fixing the lack of privacy instead?

  15. Re:Stolen Phone? by compro01 · · Score: 3, Informative

    If you've got a touchscreen phone, that PIN may be much less secure than you think.

    http://tech.slashdot.org/story/10/08/11/128244/Touchscreens-Open-To-Smudge-Attacks

    --
    upon the advice of my lawyer, i have no sig at this time
  16. Re:Having to remember even more passwords by pasamio · · Score: 2, Informative

    The worst thing about VBV was not actually having it set up properly and then having a merchant require it compared to others that didn't. I had this happen to me when I was overseas trying to get internet and all of a sudden I got slammed by this Verified by VISA thing that wasn't setup and I could get internet to get the details I needed to get it set up (catch 22). Sounds like a good idea until it gets inconsistently applied in practice.

    --
    I always wondered where this setting was...
  17. Re:Phone Theft. by lxs · · Score: 3, Insightful

    And facebook gets your cellphone number. Good thing that fb is a reputable company ran by people of high integrity who would never abuse that information.

  18. RSA Encryption by Kildjean · · Score: 3, Insightful

    What they really need to do is add RSA Encryption to the account, then create an app for iPhone to get the key from. they could also create a dongle that people buy from for $6.95 and that way their accounts will be encrypted, and issue is solved. This is pretty much what Blizzard did with their WoW accounts.

    --
    Nom de dieu de putain de bordel de merde de saloperie de connard d encule de ta mere.
    1. Re:RSA Encryption by Maarx · · Score: 3, Insightful

      I regret to inform you that you have absolutely no idea what you are talking about. There is absolutely no encryption going on with your WoW account, let alone something as complex as RSA Encryption.

      There is an additional password, generated from a hardware dongle, which is required for you to log in, but it is simply a password, not an encryption key. Once it has been successfully provided, the rest of your traffic is identical to traffic on an account without an authenticator. Your account is not "encrypted". You have a second password. Nothing more, nothing less.

  19. Re:Phone Theft. by molnarcs · · Score: 2, Insightful

    And facebook gets your cellphone number. Good thing that fb is a reputable company ran by people of high integrity who would never abuse that information.

    How? It's a serious question. I had my phone number listed already, never saw any drawbacks. Of course, it can be abused, mostly by users, but that's when "don't be stupid" kicks in - don't befriend random people you know nothing about, adjust your privacy settings, etc. So how is Facebook going to abuse this information?

  20. Re:Phone Theft. by Anonymous Coward · · Score: 2, Informative

    And facebook gets your cellphone number. Good thing that fb is a reputable company ran by people of high integrity who would never abuse that information.

    So use a Google Voice number, which includes text messaging for free.

  21. CHARGES TO YOUR CELL PHONE BILL! by lonesome+phreak · · Score: 3, Insightful

    Be carefull putting your mobile number in Facebook. I currently work for one of the worlds largest mobile telecoms as a CSR, and we just had a bit of training where we learned that your cell phone bill can be charged by a 3rd party game if you click and play the wrong one. Every day I remove "mobile download" 3-rd party charges because there is little obvious warning about playing some game will add a 9.99 monthly subscription because they where able to retrieve your cell phone via FB.

    It's just getting worse, I wish there was a better way to educate people. Not because I care about people, but because I'm tired of having to remove the subscriptions ten times a day every day lol.

    --
    Maybe we DID take the blue pill. You wouldn't remember anyway.
  22. Re:Phone Theft. by stewbacca · · Score: 2, Insightful

    The scary Facebook lack of privacy is highly exaggerated. I've had my number listed on my profile page for over two years now. I don't do anything out of the ordinary other than keep my info private to my friends only. Amazingly, nothing bad has happened because I listed a phone number on my page that I actually want people to have.

  23. Re:Having to remember even more passwords by tlhIngan · · Score: 3, Insightful

    I seem to remember some sites using Verified by Visa and then abandoning it. Perhaps they found that shoppers were abandoning their shopping carts after having set up VBV before and then forgetting their VBV username and password.

    Well, few reasons.

    1) Merchants love it because the customer gets stiffed with the charges (you can't chargeback a merchant if it was done via 3DS (3D Secure, aka Verified by Visa and MasterCard's equivalent). I only do VBV on a merchant I know. Unknown merchants, I'd probably trust Paypal a bit more.

    2) It seriously screws up with NoScript. I keep forgetting to enable the 3rd party site which usually results in screwing up the checkout process.

    3) It makes it harder to do "one-click shopping". If you're a merchant that gets a lot of impulse buys, the more steps betwen "I want it" and "We got your order, it'll be shipped soon!" is more chances the user will cancel the order prior to completion. (And this is a very important point)

    4) It's extremely insecure, and can offer a great way to phish. Heck, we've got previous Slashdot articles on the subject. Why "Verified by Visa" system is insecure and Net Shoppers Bullied into "Verified by Visa" program.

    5) Forgetting your password can get your credit card locked out.

    Quite honestly, 3DS is just another form of Wish-it-was two-factor security. It pretends to be more secure, but in reality it isn't.

    There are two ways to do it properly - you could SMS people a password, but that screws with people like me who don't always carry their cellphone around, or perhaps build in an RSA key thingy inside the card itself. Chip cards (which have their own issues - really - the PIN's in the chip and the chip sends an "OK" or "Failed PIN" response - not any form of challenge-response packet to the bank, who should know your PIN, not your card) have powerful enough processors to do some RSA token like task. Given we can buy a calculator for under a dollar, there's no real reason why we can't have credit cards with two-factor support on them (and no PIN needs to be stored - the card will generate a code based on the entered PIN which the bank can validate).

  24. Re:Alternative Solution by Quirkz · · Score: 2, Insightful

    Sorry, but deleting one's account is not actually a solution for people who want to access their account.

    --
    The Quirkz Handbook of Self-Improvement for People Who Are Already Pretty Okay
  25. Re:yeah, just give us your phone number by baKanale · · Score: 3, Funny

    That's the one where they steal your cellphone number, and use it to track your movements, then wait until you're all alone and kidnap you, taking you to the desert and forcing you to build giant pyramids all day, right?

  26. New Facebook hacking technique by kheldan · · Score: 2, Insightful
    1. Steal target's phone
    2. Get temp Facebook password
    3. Change target's permanent Facebook password
    4. ????
    5. Profit!

    ..assuming of course that Facebook allows you to change your permanent password after logging in with a temporary password. Sure hope they thought of that.

    --
    Are YOU using the TOOL, or is the TOOL using YOU? Think about it!
  27. Great Idea by Stregano · · Score: 2, Funny

    Since facebook does not ever come into scrutiny for your private information, I think that giving them your name, address, birthdate, current living city, and now phone number is a great idea. Now all we need to do is give them our credit card numbers and we will be set. For a website that ensures your data stays private, would could go wrong?

    --
    The world is how you make it