Slashdot Mirror

← Back to Stories (view on slashdot.org)

Facebook's Account Kit Login System Works Via Phone Numbers, No Passwords Needed (softpedia.com)

Posted by BeauHD on from the can-I-have-your-number? dept.

An anonymous reader writes: At this year's F8 developer conference, Facebook announced a new tool called Account Kit, which can be used by app developers to support phone number-based login systems. Every time the user wants to login, they have to enter their phone number. Facebook will then send them a verification code via SMS, which they have to enter on the site. The system was already tested live, and Facebook expects it to be widely adopted, allowing sites to offer users accounts that don't require them to memorize a new password. Each developer has a 100,000 free confirmation SMS messages per month quota. Facebook claims to support SMS login operations for over 230 countries and regions, and in 40 different languages.

22 of 116 comments (clear)

  1. Slowly but surely by Sean · · Score: 5, Insightful

    Everything is being tied back to real identity and it's becoming more and more difficult to publish anything without leaving a trail back to yourself.

    1. Re:Slowly but surely by butzwonker · · Score: 5, Insightful

      ... which happens to be every culture on earth.

    2. Re:Slowly but surely by skegg · · Score: 5, Interesting

      Definitely part of the long, gradual slide towards less anonymity.
      Companies love it: the less nebulous we are to them the more they can profit off us.
      Governments love it: all our transactions & interactions can be recorded, tracked and accessed whenever they so desire.

      I also groan for the schmucks who use their work phone numbers for online access. If they're let go without notice - and have to surrender their work phone - they'll need to quickly remove that number from their various accounts.

      I'll stick to using passwords as my primary log-in method.

    3. Re:Slowly but surely by Applehu+Akbar · · Score: 4, Insightful

      It's two-factor login without the first factor.

    4. Re:Slowly but surely by AvitarX · · Score: 2

      don't you only need an email address to get a free phone number from google?

      --
      Wow, sent an e-mail as suggested when clicking on "use classic" banner, and got a fast response that addressed my msg
  2. Dislike this idea by Anonymous Coward · · Score: 4, Insightful

    Passwords serve a useful purpose. People lose phones all too frequently, and many aren't well-secured. Passwords are a bad authentication mechanism on their own, but they do improve security in two factor authentication. Otherwise, it's possible to do a lot more damage from a lost phone. Knowing a password greatly increases your confidence that the person is who they say they are. I hate the idea of removing either factor in two factor authentication.

  3. Do these muppets not realise by ickleberry · · Score: 3, Interesting

    That it's possible to intercept SMS, either through the air or from the handset. Feck it, most android apps are spyware/adware with a bunch of permissions it they have no legitimate use for

  4. yay. by Rik+Sweeney · · Score: 4, Insightful

    I imagine that by giving them my number, I'll also be agreeing to have it passed onto "carefully selected partners" who will send me information about products I may be interested in.

    --
    Summation 2
    1. Re:yay. by Anonymous Coward · · Score: 3, Insightful

      Not yet. That will be announced in a 'policy update' when they have enough numbers.
      You will be able to turn it off, but the default is to leave it on.

    2. Re:yay. by 140Mandak262Jamuna · · Score: 2

      Not any random products, "NEW" and "EXCITING" products.

      --
      sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
  5. steal your phone and your login by brucellin0 · · Score: 5, Insightful

    great, so someone steals my phone and has automatic access to the logins too.

  6. Not sure I understand by etash · · Score: 2

    The user will receive a code via sms which then he will have to manually enter ? If that is so, it is a much worse - less practical - tactic than just entering my password. Unless, the app will automatically read the sms and enter the code. Plus I don't understand why this new method is needed, most apps and browsers offer the option to save my credentials, why would we need a new method ?

    1. Re:Not sure I understand by Tom · · Score: 2

      Because they can sell your data better the more they have. With your phone number, they have a cross-plattform unique identifier that is just wonderful at correlating data.

      --
      Assorted stuff I do sometimes: Lemuria.org
  7. They don't have to steal your phone! by Ihlosi · · Score: 5, Interesting
    someone steals my phone

    They don't even have to steal your phone. They could forge or order a duplicate SIM card, or install malware on your phone. You wouldn't know that someone is using your login.

    1. Re:They don't have to steal your phone! by Overzeetop · · Score: 3, Insightful

      "You wouldn't know that someone is using your login."

      Short of phone malware that hides selected incoming SMS and deletes them before you open your SMS app, you should suspect someone is using your phone number when either (a) you get seemingly random login verification numbers or (b) your phone company bitches at you about having more than one location/identity on their network (SIM presence).

      --
      Is it just my observation, or are there way too many stupid people in the world?
  8. Re:Google voice? Burner phone? by Anonymous Coward · · Score: 2, Insightful

    Governments all over the world are working hard to close those loopholes. Soon you won't be able to buy a phone or sim card without id, and all the devices already out there will suddenly have their network access revoked until you register them with government issued id. If a tin pot dictatorship like pakistan can pull this off, anybody can.

  9. Re:Google voice? Burner phone? by 110010001000 · · Score: 2

    100% correct. I have been saying this for years: eventually you will only be able to connect to the Internet with "approved" and "registered" devices. This is already happening in the mobile world.

  10. Re:You call THAT 2FA?!? by 110010001000 · · Score: 4, Insightful

    If you have someones cell phone you already have access to most things anyway. Most services (including email) on mobile devices leave the user logged in or for convenience by saving their credentials locally.

  11. SMS DoS made easy? by j-beda · · Score: 2

    This doesn't seem like a simple way to send 100,000 to anyone who I might be wanting to abuse, does it?

    In any case I hope they have tried to engineer some security and sanity checks into the system.

    I would not want to be the unfortunate sod who has got a new cell phone and found out that the previous owner of that number has enabled this feature and forgot to update their facebook profile when they changed cell phones - getting random authentification texts via facebook for the rest of my life doesn't seem very pleasant.

  12. Just another way to get my phone number by Whatanut · · Score: 2

    No, facebook. You can't have my phone number....

    --

    yvan eht nioj
  13. Re:use case by Whatanut · · Score: 2

    And I'm sure we can agree that this is an absolutely horrible use case.

    --

    yvan eht nioj
  14. Ubiquitous in China, FB aims at next billion users by nicolaiplum · · Score: 2

    This sort of authentication is very common in China, where your phone number is your identity for many purposes. With WeChat payments, your payment identity is even your phone number.

    People who arrive at online connectivity via smartphones and messaging software don't have an email address and don't want one; their identity is their phone number. With all the problems that has, but those aren't problems they see at first (email also is not lacking in problems).

    So this is Facebook aiming at being the auth service, and entry point to the Internet, for people who are newly connected to the Internet via smartphones. The next billion to be networked.

    This is not aimed at anyone who uses slashdot - if you read this, you're just not one of the people described above.

    --
    "For a successful technology, reality must take precedence over public relations, for Nature cannot be fooled"