Facebook's Account Kit Login System Works Via Phone Numbers, No Passwords Needed (softpedia.com) 116
An anonymous reader writes: At this year's F8 developer conference, Facebook announced a new tool called Account Kit, which can be used by app developers to support phone number-based login systems. Every time the user wants to login, they have to enter their phone number. Facebook will then send them a verification code via SMS, which they have to enter on the site. The system was already tested live, and Facebook expects it to be widely adopted, allowing sites to offer users accounts that don't require them to memorize a new password. Each developer has a 100,000 free confirmation SMS messages per month quota. Facebook claims to support SMS login operations for over 230 countries and regions, and in 40 different languages.
Slowly but surely (Score:5, Insightful)
Everything is being tied back to real identity and it's becoming more and more difficult to publish anything without leaving a trail back to yourself.
Re:Slowly but surely (Score:5, Insightful)
Re: (Score:2)
Welcome to the NEW USA...!!
These days, it seems almost NOTHING can be said anymore unless it is 100% vanilla....or you and your private and professional life will suffer.
I must say, it was much nicer in the decades before the 2000's in that regard.
Hm...now, I"m worried about the vanilla comment above...it may be taken as somehow "racial".
Re: (Score:1)
Nah, not racist. It's flavorphobic though. #YESALLFLAVORS
Re: (Score:1)
I intend to enter as many phone numbers as I can find into these systems to make developers go over their quotas and people get annoying SMS messages 24 hours a day.
Re:Slowly but surely (Score:5, Interesting)
Definitely part of the long, gradual slide towards less anonymity.
Companies love it: the less nebulous we are to them the more they can profit off us.
Governments love it: all our transactions & interactions can be recorded, tracked and accessed whenever they so desire.
I also groan for the schmucks who use their work phone numbers for online access. If they're let go without notice - and have to surrender their work phone - they'll need to quickly remove that number from their various accounts.
I'll stick to using passwords as my primary log-in method.
Re: (Score:2)
Re:Slowly but surely (Score:5, Insightful)
It's two-factor login without the first factor.
Re: (Score:1)
They already know who you pretend to be, what you imagine and who you wish you were fucking.
FTFY
Re: (Score:2)
don't you only need an email address to get a free phone number from google?
Re: (Score:1)
Yes but they know it's not a number from a mobile carrier. I already tried it with Yahoo and their shitty "Oh we just need a phone number in case you lose your password" garbage. No mobile number, no account. WCGW?
Re: (Score:1)
That's stupid.
I assume that means no Google Fi either.
I don't have a phone (Score:2)
I haven't had a phone for about 10 years and won't get one for anything like this. What about people using POTS who can't even get SMS. I imagine this will be used as just an alternative login method, otherwise a lot of people won't even be able to use it at all.
Re: (Score:1)
If you think they care about "dinosaurs" without mobile numbers you're sadly mistaken. You can just get with it, grandpa.
Re: (Score:2)
"Everything is being tied back to real identity and it's becoming more and more difficult to publish anything without leaving a trail back to yourself."
Not at all, I bought a dozen empty prepaid sim-cards on ebay for a couple of bucks, to troll my local newspaper, which uses a similar system. (empty cards receive SMSes just fine)
Thisis perfect for this if you want multiple accounts.
Dislike this idea (Score:4, Insightful)
Passwords serve a useful purpose. People lose phones all too frequently, and many aren't well-secured. Passwords are a bad authentication mechanism on their own, but they do improve security in two factor authentication. Otherwise, it's possible to do a lot more damage from a lost phone. Knowing a password greatly increases your confidence that the person is who they say they are. I hate the idea of removing either factor in two factor authentication.
Do these muppets not realise (Score:4, Interesting)
yay. (Score:5, Insightful)
I imagine that by giving them my number, I'll also be agreeing to have it passed onto "carefully selected partners" who will send me information about products I may be interested in.
Re: (Score:3, Insightful)
Not yet. That will be announced in a 'policy update' when they have enough numbers.
You will be able to turn it off, but the default is to leave it on.
Re: (Score:3)
Comment removed (Score:5, Insightful)
They don't have to steal your phone! (Score:5, Interesting)
They don't even have to steal your phone. They could forge or order a duplicate SIM card, or install malware on your phone. You wouldn't know that someone is using your login.
Re:They don't have to steal your phone! (Score:4, Insightful)
"You wouldn't know that someone is using your login."
Short of phone malware that hides selected incoming SMS and deletes them before you open your SMS app, you should suspect someone is using your phone number when either (a) you get seemingly random login verification numbers or (b) your phone company bitches at you about having more than one location/identity on their network (SIM presence).
Re: (Score:2)
The only reason why SMS-intercepting malware would not do this is gross incompetence of the author. And, unfortunately, malware production has become quite professional.
your phone company bitches at you about having more than one location/identity on their network (SIM presence).
Multi-SIM is not a bug, it's a feature. And the phone company knows and expects that there will be such a situation, becau
Great, it's not like there's a dozen ways to ... (Score:2)
The more things change... (Score:2)
Great, it's not like there's a dozen ways to compromise this. From malware on the phone to duplicate SIM cards to intercepting the text message somewhere in transit ...
You say that as if there aren't a zillion ways to compromise password protection.
Re: (Score:1)
Why break through the wall when you can steal the key to the front door?
Not sure I understand (Score:3)
Re: (Score:3)
Because they can sell your data better the more they have. With your phone number, they have a cross-plattform unique identifier that is just wonderful at correlating data.
Re: (Score:2)
What would you bet your location data is sent with the passcode/authentication request at least by default?
I would wager heavily.
Re: (Score:2)
I don't see how they'd get location data from this? (Am I overlooking something?)
At most they'd know the country to which the SIM belongs. Don't know if larger countries incorporate area codes into mobile / cell phones. (?)
Surely IP address provides much more granular location identity?
Area codes, local calling areas, and exchanges (Score:2)
The numbering plan in the United States goes like this: Area codes are the first 3 digits of a 10-digit number. Inside each area code are several local calling areas, which roughly correspond to cities and towns. Land line calls within a local calling area are free even on plans that charge extra for long distance. Within each local calling area are several exchanges, roughly corresponding to the fourth and fifth (and sometimes sixth) digits of the phone number. Each exchange is assigned to a single phone c
Re: (Score:2)
As such, of all the evil they can do with that information (cross-account linking, marketing) there are better ways for them to get location data (namely marketing an app using the collected phone numbers which uses GPS to 'fin
Re: (Score:2)
More often than not when I get someones cell number its from their home-town where they got their first cell phone 10 years ago... and no longer has any relation to where they are living presently.
But without a local number, it's more expensive for land line users "where they are living presently" to call them. Perhaps they keep the old number because family members back home still have a land line and friends "where they are living presently" have switched to cell-only.
Re: (Score:1)
Unless that landline is with literally any company but the local telco.
The people I know that have landlines have them through the cable company, and receive free long distance.
Where I work we used to have a landline solution (actually I think voip to analog over a T1 before better internet options were available), we paid long distance, but it was under a penny a minute.
Long distance is free, or essentially free, even on most landlines now.
Re: (Score:2)
This is what I was imagining the cell phone will send its location data as part of the application protocol somewhere. Sure you can get some location data from the phone number but my experience is like yours. If you go by the area code on my mobile you'll have me several states away.
Facebook and the sites that use this though don't want area code resolution data, they want street level anyway. Logon to facebook see ads for the restaurant down the block.
Re: (Score:2)
Thanks bud. The landline format isn't too dissimilar to what we use in Australia.
Very interesting point about cell phones; I wouldn't have guessed that. Our ones have a location independent prefix [wikipedia.org]
It's all clear now (Score:2)
Well, no!
Wow a reason to like Facebook Less (Score:2)
I don't log in as is. Now that it's a process to do so, I doubt it will increase my use.
Re: (Score:1)
fuck that. it's a reason to never ever EVER let ANYONE "borrow" your phone for ANY reason.. i don't care if your grandmother has fallen and can't get up or your kid has wandered off and you need to call them/look up their tracker. you are NOT using **MY** facebook password..err i mean phone.
Sounds familiar (Score:1)
Why don't they use one of the existing 'single logon' providers that already offer than?
But of course Google and MS are somewhat the competition. And they don't get your phone number to start selling it to SMS advertizers.
At least they're honest about it... (Score:1)
This is the biggest backdoor snooping for 3-letter agencies ever.
Since they can (legally) intercept this kind of traffic, all they need is
a phone # and a way to respond to an un-encrypted SMS message
on that phone # to have access to that account. My cat can do that.
CAP === 'pigskin'
One tier authentication (Score:1)
Congratulations. This is the dumbest idea. The SMS verification is only for extra security in normal places, not a replacement.
Google voice? Burner phone? (Score:2)
Re: (Score:2, Insightful)
Governments all over the world are working hard to close those loopholes. Soon you won't be able to buy a phone or sim card without id, and all the devices already out there will suddenly have their network access revoked until you register them with government issued id. If a tin pot dictatorship like pakistan can pull this off, anybody can.
Re: (Score:3)
Re: (Score:2)
IIRC Google Boice can get SMS
If by "Boice" you meant Voice, this has two drawbacks. First, Google Voice is unavailable in most countries. Second, a lot of these SMS verification services have blacklisted Google Voice and "cheap VoIP" because of their weaker identity guarantees.
Re: (Score:1)
I second this.
I've been telephone free for two years now and haven't missed it for a moment.
It's the new "I don't own a TV [theawl.com]" :)
Re: (Score:2)
Unlimited Master Race too (Score:2)
That and even people who do have a phone may not be able to receive SMS on a land line. I tried associating my roommate's land line with my Twitter account but got a message that its carrier is not supported.
And even people who specifically have a cell phone are unlikely to be willing to pay upwards of 10 cents per received message.
Fair payment for service received (Score:2)
You're about to receive a lot more services (Score:2)
As SMS-only or two-factor authentication becomes more common, you will likely end up receiving several text messages per day, one for each service that you're logging in to. Then you might not be able to count on it still costing you $6 per month.
Which carrier, if I might ask? I too am on a la carte service, but Virgin raised its minimum payment to keep an account going from $16.something to $22.something per 90 days, or equivalently about $5.50 to $7.50 per month.
Re: (Score:2)
Because local calls to cell phones are free (Score:2)
In the United States, the cell phone subscriber is charged for airtime whether making or receiving a call. This was done to preserve land line subscribers' expectations that calls from land lines to local numbers will remain without charge, as airtime is considered more scarce than time on a local land line.
You call THAT 2FA?!? (Score:2, Interesting)
Congratulations Farcebook. You've managed to re-define two-factor authentication for the new generation who's too damn lazy to actually create and remember a secure password.
Your version of 2FA is now something you have, coupled with something you have.
All I need to do now to impersonate someone online is have their phone in my possession.
And of course the way the professional world these days hangs your career on your social media responsibility, you'll be fired within the hour for something you could ba
Re:You call THAT 2FA?!? (Score:5, Insightful)
SMS DoS made easy? (Score:3)
This doesn't seem like a simple way to send 100,000 to anyone who I might be wanting to abuse, does it?
In any case I hope they have tried to engineer some security and sanity checks into the system.
I would not want to be the unfortunate sod who has got a new cell phone and found out that the previous owner of that number has enabled this feature and forgot to update their facebook profile when they changed cell phones - getting random authentification texts via facebook for the rest of my life doesn't seem very pleasant.
Just another way to get my phone number (Score:3)
No, facebook. You can't have my phone number....
use case (Score:2)
but at least I can imagine one possible use case... someone's at granny's house and wants to log into FB on some big screen device (Smart-tv, PC, granny's tablet) to show off holiday snaps.. but can't log into FB there because they can't remember their extra-secure 17-digit password, so they get a "cumbersome, one-off" PW through the (possibly not even "smart") phone in their pocket.
not that it's not ridi
Re: (Score:3)
And I'm sure we can agree that this is an absolutely horrible use case.
Facebook is slowly building its Walled Garden (Score:2)
.
How long will it be before facebook users never leave the facebook environment?
Re: (Score:2)
How long will it be before facebook users never leave the facebook environment?
Already. I see that happen all the time.
I use Facebook a lot for my business and from the questions I get on my posts it is clear that 1) people don't really read them (or maybe just the first 50 words or so) as the question is answered in the post already, and 2) they never follow links given, only when explicitly prompted to do so.
This is the real reason ... (Score:2)
... that Facebook bought Whatsapp. Whatsapp has been using this verification scheme for years.
Ubiquitous in China, FB aims at next billion users (Score:3)
This sort of authentication is very common in China, where your phone number is your identity for many purposes. With WeChat payments, your payment identity is even your phone number.
People who arrive at online connectivity via smartphones and messaging software don't have an email address and don't want one; their identity is their phone number. With all the problems that has, but those aren't problems they see at first (email also is not lacking in problems).
So this is Facebook aiming at being the auth service, and entry point to the Internet, for people who are newly connected to the Internet via smartphones. The next billion to be networked.
This is not aimed at anyone who uses slashdot - if you read this, you're just not one of the people described above.
Have they fixed the 2014 SS7 hole yet? (Score:1)
Have they fixed this known problem [schneier.com] yet?
I'm sure this isn't the only known SS7 vulnerability out there.
If this gets popular, I predict a rash of SS7 zero-days in the coming years.
Oh, and I haven't even mentioned vendor-specific vulnerabilities in the implementation of SS7, VoIP (where applicable), cell-tower, and cellphone-handset technology.
is this new ? (Score:1)
i just had a WOW moment reading this post. Yesterday I used the account kit login to order some pizza and i was wondering what was that. Looks like iFood was quick to implement it. Kuddos for them.
Why are you still using Facebook? (Score:1)
Re: (Score:1)
Come on, people, how much more invasion of your privacy are you going to put up with before you say enough is enough?
There is no limit. Whatsoever. As long as you wrap it up in a glossy ad campaign, people will do anything without a single moment of consideration for the future consequences.
How convenient (Score:2)
Especially when you have to wait for the SMS to show up. It's not guaranteed to be instantaneous. Your carrier could be busy.
What happens if you are someplace where the reception sucks and you can't get your SMS right away? Are they going to offer you an alternative way to log in? I'm only wondering because some applications and sites that currently use Facebook for access don't let you sign up/in with another method. Since I don't want Facebook tracking me I avoid those sites.
Jeez, just use an offline pass
Uh.... (Score:2)