A posting yesterday on the official Facebook blog by Jake Brill, a product manager with the site’s integrity team, outlined three changes affecting account security available in the coming weeks.
First is Facebook users’ ability to access accounts with temporary passwords sent to their mobile phones. The passwords will remain active for 20 minutes according to Brill, and the feature requires that members provide a mobile phone number for the account. Users must text “opt” to 32665 to receive the one-time, temporary password.
“If you have any concerns about the security of the computer you’re using while accessing Facebook, we can text you a one-time password to use instead of your regular password”, he wrote on the blog. Brill went on to note that the feature would be gradually rolled out over the next few weeks.
The second security feature includes the ability to view active Facebook sessions, which may still be active on another device, and then log out of them remotely. Brill said this could be useful when users have accessed their account from a phone or computer other than their own.
Finally, Brill said that Facebook will periodically prompt users to update their security information rather than relying solely on users accessing the feature on their own.
Reaction to one of the new security features has been mixed. Marcus Ranum, CSO with Tenable Network Security, applauds the new changes, especially the on-demand two-factor authentication feature for account login: “What Facebook has announced is great because the two factors they are asking for are not merely ‘something you know plus something you have’ but ‘something you know plus something you value a lot’. We've seen in the past that people are willing to give away an authentication credential in return for a chocolate bar, however, most people are strongly acculturated to hang onto their phones.”
But over at Sophos, Graham Cluley, a senior technology consultant with the IT security firm, said that the move to provide temporary passwords via mobile phones could present even more security concerns.
"If you believe a computer might not be secure in the first place, why would you use it to access personal accounts such as Facebook?” Cluley questioned. “A temporary password may stop keylogging spyware giving cybercriminals a permanent backdoor into your account, but it doesn't stop malware from spying on your activities online and seeing what's happening on your screen.
Cluley adds we all tend to be a bit absent-minded from time to time and misplace phones, which means that “if someone else can gain access to your phone and send a text message, your Facebook account will be unlocked."
“If you don't trust the PC, don't use it to access Facebook – even if you do have a temporary password," Cluley warned in a recent security blog posting. "Instead, wait until you have access to a trusted PC, rather than risking sharing your personal information with unknown others. There's a real danger that the one-time-password system will be viewed as a green light by Facebook users to access their accounts from unsafe PCs."