Facebook's Account Kit Login System Works Via Phone Numbers, No Passwords Needed

An anonymous reader writes: At this year's F8 developer conference, Facebook announced a new tool called Account Kit, which can be used by app developers to support phone number-based login systems. Every time the user wants to login, they have to enter their phone number. Facebook will then send them a verification code via SMS, which they have to enter on the site. The system was already tested live, and Facebook expects it to be widely adopted, allowing sites to offer users accounts that don't require them to memorize a new password. Each developer has a 100,000 free confirmation SMS messages per month quota. Facebook claims to support SMS login operations for over 230 countries and regions, and in 40 different languages.

Slowly but surely

[Sean]

Everything is being tied back to real identity and it's becoming more and more difficult to publish anything without leaving a trail back to yourself.

Re:Slowly but surely

[butzwonker]

... which happens to be every culture on earth.

Re:Slowly but surely

[skegg]

Definitely part of the long, gradual slide towards less anonymity.
Companies love it: the less nebulous we are to them the more they can profit off us.
Governments love it: all our transactions & interactions can be recorded, tracked and accessed whenever they so desire.

I also groan for the schmucks who use their work phone numbers for online access. If they're let go without notice - and have to surrender their work phone - they'll need to quickly remove that number from their various accounts.

I'll stick to using passwords as my primary log-in method.

Re:Slowly but surely

[Applehu+Akbar]

It's two-factor login without the first factor.

Dislike this idea

Passwords serve a useful purpose. People lose phones all too frequently, and many aren't well-secured. Passwords are a bad authentication mechanism on their own, but they do improve security in two factor authentication. Otherwise, it's possible to do a lot more damage from a lost phone. Knowing a password greatly increases your confidence that the person is who they say they are. I hate the idea of removing either factor in two factor authentication.

Do these muppets not realise

[ickleberry]

That it's possible to intercept SMS, either through the air or from the handset. Feck it, most android apps are spyware/adware with a bunch of permissions it they have no legitimate use for

yay.

[Rik+Sweeney]

I imagine that by giving them my number, I'll also be agreeing to have it passed onto "carefully selected partners" who will send me information about products I may be interested in.

Re:yay.

Not yet. That will be announced in a 'policy update' when they have enough numbers.
You will be able to turn it off, but the default is to leave it on.

steal your phone and your login

[brucellin0]

great, so someone steals my phone and has automatic access to the logins too.

They don't have to steal your phone!

[Ihlosi]

someone steals my phone

They don't even have to steal your phone. They could forge or order a duplicate SIM card, or install malware on your phone. You wouldn't know that someone is using your login.

Re:They don't have to steal your phone!

[Overzeetop]

"You wouldn't know that someone is using your login."

Short of phone malware that hides selected incoming SMS and deletes them before you open your SMS app, you should suspect someone is using your phone number when either (a) you get seemingly random login verification numbers or (b) your phone company bitches at you about having more than one location/identity on their network (SIM presence).

Re:You call THAT 2FA?!?

[110010001000]

If you have someones cell phone you already have access to most things anyway. Most services (including email) on mobile devices leave the user logged in or for convenience by saving their credentials locally.