Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Facebook Security Communications Encryption Network Networking Programming News Build Technology

Facebook's Account Kit Login System Works Via Phone Numbers, No Passwords Needed (softpedia.com) 116

An anonymous reader writes: At this year's F8 developer conference, Facebook announced a new tool called Account Kit, which can be used by app developers to support phone number-based login systems. Every time the user wants to login, they have to enter their phone number. Facebook will then send them a verification code via SMS, which they have to enter on the site. The system was already tested live, and Facebook expects it to be widely adopted, allowing sites to offer users accounts that don't require them to memorize a new password. Each developer has a 100,000 free confirmation SMS messages per month quota. Facebook claims to support SMS login operations for over 230 countries and regions, and in 40 different languages.
This discussion has been archived. No new comments can be posted.

Facebook's Account Kit Login System Works Via Phone Numbers, No Passwords Needed

Comments Filter:
  • Slowly but surely (Score:5, Insightful)

    by Sean ( 422 ) on Wednesday April 13, 2016 @05:08AM (#51898195)

    Everything is being tied back to real identity and it's becoming more and more difficult to publish anything without leaving a trail back to yourself.

    • by Anonymous Coward

      I intend to enter as many phone numbers as I can find into these systems to make developers go over their quotas and people get annoying SMS messages 24 hours a day.

    • Re:Slowly but surely (Score:5, Interesting)

      by skegg ( 666571 ) on Wednesday April 13, 2016 @07:06AM (#51898587)

      Definitely part of the long, gradual slide towards less anonymity.
      Companies love it: the less nebulous we are to them the more they can profit off us.
      Governments love it: all our transactions & interactions can be recorded, tracked and accessed whenever they so desire.

      I also groan for the schmucks who use their work phone numbers for online access. If they're let go without notice - and have to surrender their work phone - they'll need to quickly remove that number from their various accounts.

      I'll stick to using passwords as my primary log-in method.

      • Definitely part of the long, gradual slide towards less anonymity.

        Companies love it: the less nebulous we are to them the more they can profit off us.

        Governments love it: all our transactions & interactions can be recorded, tracked and accessed whenever they so desire.

        I also groan for the schmucks who use their work phone numbers for online access. If they're let go without notice - and have to surrender their work phone - they'll need to quickly remove that number from their various accounts.

        I'll

    • by Applehu Akbar ( 2968043 ) on Wednesday April 13, 2016 @08:02AM (#51898855)

      It's two-factor login without the first factor.

    • by AvitarX ( 172628 )

      don't you only need an email address to get a free phone number from google?

      • Yes but they know it's not a number from a mobile carrier. I already tried it with Yahoo and their shitty "Oh we just need a phone number in case you lose your password" garbage. No mobile number, no account. WCGW?

    • I haven't had a phone for about 10 years and won't get one for anything like this. What about people using POTS who can't even get SMS. I imagine this will be used as just an alternative login method, otherwise a lot of people won't even be able to use it at all.

      • If you think they care about "dinosaurs" without mobile numbers you're sadly mistaken. You can just get with it, grandpa.

    • "Everything is being tied back to real identity and it's becoming more and more difficult to publish anything without leaving a trail back to yourself."

      Not at all, I bought a dozen empty prepaid sim-cards on ebay for a couple of bucks, to troll my local newspaper, which uses a similar system. (empty cards receive SMSes just fine)
      Thisis perfect for this if you want multiple accounts.

  • Dislike this idea (Score:4, Insightful)

    by Anonymous Coward on Wednesday April 13, 2016 @05:08AM (#51898197)

    Passwords serve a useful purpose. People lose phones all too frequently, and many aren't well-secured. Passwords are a bad authentication mechanism on their own, but they do improve security in two factor authentication. Otherwise, it's possible to do a lot more damage from a lost phone. Knowing a password greatly increases your confidence that the person is who they say they are. I hate the idea of removing either factor in two factor authentication.

  • by ickleberry ( 864871 ) <web@pineapple.vg> on Wednesday April 13, 2016 @05:18AM (#51898217) Homepage
    That it's possible to intercept SMS, either through the air or from the handset. Feck it, most android apps are spyware/adware with a bunch of permissions it they have no legitimate use for
  • yay. (Score:5, Insightful)

    by Rik Sweeney ( 471717 ) on Wednesday April 13, 2016 @05:18AM (#51898221) Homepage

    I imagine that by giving them my number, I'll also be agreeing to have it passed onto "carefully selected partners" who will send me information about products I may be interested in.

    • Re: (Score:3, Insightful)

      by Anonymous Coward

      Not yet. That will be announced in a 'policy update' when they have enough numbers.
      You will be able to turn it off, but the default is to leave it on.

    • Not any random products, "NEW" and "EXCITING" products.
  • Comment removed (Score:5, Insightful)

    by account_deleted ( 4530225 ) on Wednesday April 13, 2016 @05:22AM (#51898233)
    Comment removed based on user account deletion
    • by Ihlosi ( 895663 ) on Wednesday April 13, 2016 @05:28AM (#51898261)
      someone steals my phone

      They don't even have to steal your phone. They could forge or order a duplicate SIM card, or install malware on your phone. You wouldn't know that someone is using your login.

      • by Overzeetop ( 214511 ) on Wednesday April 13, 2016 @10:52AM (#51900299) Journal

        "You wouldn't know that someone is using your login."

        Short of phone malware that hides selected incoming SMS and deletes them before you open your SMS app, you should suspect someone is using your phone number when either (a) you get seemingly random login verification numbers or (b) your phone company bitches at you about having more than one location/identity on their network (SIM presence).

        • by Ihlosi ( 895663 )
          Short of phone malware that hides selected incoming SMS and deletes them before you open your SMS app

          The only reason why SMS-intercepting malware would not do this is gross incompetence of the author. And, unfortunately, malware production has become quite professional.

          your phone company bitches at you about having more than one location/identity on their network (SIM presence).

          Multi-SIM is not a bug, it's a feature. And the phone company knows and expects that there will be such a situation, becau

  • Great, it's not like there's a dozen ways to compromise this. From malware on the phone to duplicate SIM cards to intercepting the text message somewhere in transit ...
    • Great, it's not like there's a dozen ways to compromise this. From malware on the phone to duplicate SIM cards to intercepting the text message somewhere in transit ...

      You say that as if there aren't a zillion ways to compromise password protection.

      • by Ihlosi ( 895663 )
        You say that as if there aren't a zillion ways to compromise password protection.

        Why break through the wall when you can steal the key to the front door?

  • by etash ( 1907284 ) on Wednesday April 13, 2016 @05:27AM (#51898259)
    The user will receive a code via sms which then he will have to manually enter ? If that is so, it is a much worse - less practical - tactic than just entering my password. Unless, the app will automatically read the sms and enter the code. Plus I don't understand why this new method is needed, most apps and browsers offer the option to save my credentials, why would we need a new method ?
    • by Tom ( 822 )

      Because they can sell your data better the more they have. With your phone number, they have a cross-plattform unique identifier that is just wonderful at correlating data.

      • by DarkOx ( 621550 )

        What would you bet your location data is sent with the passcode/authentication request at least by default?

        I would wager heavily.

        • by skegg ( 666571 )

          I don't see how they'd get location data from this? (Am I overlooking something?)
          At most they'd know the country to which the SIM belongs. Don't know if larger countries incorporate area codes into mobile / cell phones. (?)

          Surely IP address provides much more granular location identity?

          • The numbering plan in the United States goes like this: Area codes are the first 3 digits of a 10-digit number. Inside each area code are several local calling areas, which roughly correspond to cities and towns. Land line calls within a local calling area are free even on plans that charge extra for long distance. Within each local calling area are several exchanges, roughly corresponding to the fourth and fifth (and sometimes sixth) digits of the phone number. Each exchange is assigned to a single phone c

            • by ChadL ( 880878 ) *
              As this is talking about SMS messages we are mostly just looking at cell phones here. More often than not when I get someones cell number its from their home-town where they got their first cell phone 10 years ago... and no longer has any relation to where they are living presently.
              As such, of all the evil they can do with that information (cross-account linking, marketing) there are better ways for them to get location data (namely marketing an app using the collected phone numbers which uses GPS to 'fin
              • by tepples ( 727027 )

                More often than not when I get someones cell number its from their home-town where they got their first cell phone 10 years ago... and no longer has any relation to where they are living presently.

                But without a local number, it's more expensive for land line users "where they are living presently" to call them. Perhaps they keep the old number because family members back home still have a land line and friends "where they are living presently" have switched to cell-only.

                • by AvitarX ( 172628 )

                  Unless that landline is with literally any company but the local telco.

                  The people I know that have landlines have them through the cable company, and receive free long distance.

                  Where I work we used to have a landline solution (actually I think voip to analog over a T1 before better internet options were available), we paid long distance, but it was under a penny a minute.

                  Long distance is free, or essentially free, even on most landlines now.

              • by DarkOx ( 621550 )

                This is what I was imagining the cell phone will send its location data as part of the application protocol somewhere. Sure you can get some location data from the phone number but my experience is like yours. If you go by the area code on my mobile you'll have me several states away.

                Facebook and the sites that use this though don't want area code resolution data, they want street level anyway. Logon to facebook see ads for the restaurant down the block.

            • by skegg ( 666571 )

              Thanks bud. The landline format isn't too dissimilar to what we use in Australia.

              Cell phones share local calling areas with land lines

              Very interesting point about cell phones; I wouldn't have guessed that. Our ones have a location independent prefix [wikipedia.org]

  • This is the real reason FB keeps pestering me for my phone number.

    Well, no!
  • I don't log in as is. Now that it's a process to do so, I doubt it will increase my use.

    • by Anonymous Coward

      fuck that. it's a reason to never ever EVER let ANYONE "borrow" your phone for ANY reason.. i don't care if your grandmother has fallen and can't get up or your kid has wandered off and you need to call them/look up their tracker. you are NOT using **MY** facebook password..err i mean phone.

  • by Anonymous Coward

    Why don't they use one of the existing 'single logon' providers that already offer than?
    But of course Google and MS are somewhat the competition. And they don't get your phone number to start selling it to SMS advertizers.

  • by Anonymous Coward

    This is the biggest backdoor snooping for 3-letter agencies ever.
    Since they can (legally) intercept this kind of traffic, all they need is
    a phone # and a way to respond to an un-encrypted SMS message
    on that phone # to have access to that account. My cat can do that.

    CAP === 'pigskin'

  • by Anonymous Coward

    Congratulations. This is the dumbest idea. The SMS verification is only for extra security in normal places, not a replacement.

  • Yea, I really want to give out my cell phone number so you can further gather information to ket you and your selected partners send me 'valuable information I might be interested in" via SMS and voice calls. IIRC Google Boice can get SMS or get a cheap VOIP or Tracfone as a burner.
    • Re: (Score:2, Insightful)

      by Anonymous Coward

      Governments all over the world are working hard to close those loopholes. Soon you won't be able to buy a phone or sim card without id, and all the devices already out there will suddenly have their network access revoked until you register them with government issued id. If a tin pot dictatorship like pakistan can pull this off, anybody can.

      • 100% correct. I have been saying this for years: eventually you will only be able to connect to the Internet with "approved" and "registered" devices. This is already happening in the mobile world.
    • by tepples ( 727027 )

      IIRC Google Boice can get SMS

      If by "Boice" you meant Voice, this has two drawbacks. First, Google Voice is unavailable in most countries. Second, a lot of these SMS verification services have blacklisted Google Voice and "cheap VoIP" because of their weaker identity guarantees.

  • You call THAT 2FA?!? (Score:2, Interesting)

    by geekmux ( 1040042 )

    Congratulations Farcebook. You've managed to re-define two-factor authentication for the new generation who's too damn lazy to actually create and remember a secure password.

    Your version of 2FA is now something you have, coupled with something you have.

    All I need to do now to impersonate someone online is have their phone in my possession.

    And of course the way the professional world these days hangs your career on your social media responsibility, you'll be fired within the hour for something you could ba

  • by j-beda ( 85386 ) on Wednesday April 13, 2016 @07:08AM (#51898603) Homepage

    This doesn't seem like a simple way to send 100,000 to anyone who I might be wanting to abuse, does it?

    In any case I hope they have tried to engineer some security and sanity checks into the system.

    I would not want to be the unfortunate sod who has got a new cell phone and found out that the previous owner of that number has enabled this feature and forgot to update their facebook profile when they changed cell phones - getting random authentification texts via facebook for the rest of my life doesn't seem very pleasant.

  • by Whatanut ( 203397 ) on Wednesday April 13, 2016 @07:13AM (#51898623)

    No, facebook. You can't have my phone number....

  • to go with the flow of the multiple above comments, i might be tempted to add another "WTF" comment.

    but at least I can imagine one possible use case... someone's at granny's house and wants to log into FB on some big screen device (Smart-tv, PC, granny's tablet) to show off holiday snaps.. but can't log into FB there because they can't remember their extra-secure 17-digit password, so they get a "cumbersome, one-off" PW through the (possibly not even "smart") phone in their pocket.

    not that it's not ridi

  • More and more applications will need the facebook platform in order to run.

    .
    How long will it be before facebook users never leave the facebook environment?

    • How long will it be before facebook users never leave the facebook environment?

      Already. I see that happen all the time.

      I use Facebook a lot for my business and from the questions I get on my posts it is clear that 1) people don't really read them (or maybe just the first 50 words or so) as the question is answered in the post already, and 2) they never follow links given, only when explicitly prompted to do so.

  • ... that Facebook bought Whatsapp. Whatsapp has been using this verification scheme for years.

  • by nicolaiplum ( 169077 ) on Wednesday April 13, 2016 @09:14AM (#51899405)

    This sort of authentication is very common in China, where your phone number is your identity for many purposes. With WeChat payments, your payment identity is even your phone number.

    People who arrive at online connectivity via smartphones and messaging software don't have an email address and don't want one; their identity is their phone number. With all the problems that has, but those aren't problems they see at first (email also is not lacking in problems).

    So this is Facebook aiming at being the auth service, and entry point to the Internet, for people who are newly connected to the Internet via smartphones. The next billion to be networked.

    This is not aimed at anyone who uses slashdot - if you read this, you're just not one of the people described above.

  • Have they fixed this known problem [schneier.com] yet?

    I'm sure this isn't the only known SS7 vulnerability out there.

    If this gets popular, I predict a rash of SS7 zero-days in the coming years.

    Oh, and I haven't even mentioned vendor-specific vulnerabilities in the implementation of SS7, VoIP (where applicable), cell-tower, and cellphone-handset technology.

  • i just had a WOW moment reading this post. Yesterday I used the account kit login to order some pizza and i was wondering what was that. Looks like iFood was quick to implement it. Kuddos for them.

  • by Anonymous Coward
    Come on, people, how much more invasion of your privacy are you going to put up with before you say enough is enough? Do you really think they're going to keep your phone number private? No, they'll sell it to their 'partner' companies so you can be text message spammed and get marketing calls, which will be fully legal for them to do, because the terms of service will allow it, and you agreed to it just by using Facebook. Also as others have pointed out, now, if you weren't using your real name on Facebook
    • by Anonymous Coward

      Come on, people, how much more invasion of your privacy are you going to put up with before you say enough is enough?

      There is no limit. Whatsoever. As long as you wrap it up in a glossy ad campaign, people will do anything without a single moment of consideration for the future consequences.

  • Especially when you have to wait for the SMS to show up. It's not guaranteed to be instantaneous. Your carrier could be busy.

    What happens if you are someplace where the reception sucks and you can't get your SMS right away? Are they going to offer you an alternative way to log in? I'm only wondering because some applications and sites that currently use Facebook for access don't let you sign up/in with another method. Since I don't want Facebook tracking me I avoid those sites.

    Jeez, just use an offline pass

  • "Facebook will then send them a verification code via SMS, which they have to enter on the site. " Uh... isn't that a "password"? And a much less convenient one at that.

Genius is ten percent inspiration and fifty percent capital gains.

Working...