Facebook has launched two new security features to help users stay in control of their accounts. Users can now receive a one-time password from Facebook via text message, and file security information to aide with account retrieval. The previously announced security feature which allows users to end Facebook sessions remotely has now been rolled out to all users. While these features should help most users, there is potential for abuse of one-time passwords.
By texting “otp” (for “one-time password”) to Facebook’s text message short code 32665 (FBOOK), users are texted back an alphanumeric, case-sensitive password which can only be used to log in to their account once and which expires 20 minutes after it’s received. Users must text from a phone number they have registered with their account via Account->Account Settings->Mobile.
One-time passwords help alleviate user worries about logging in on insecure machines such as “public computers in places like hotels, cafes or airports.” This prevents users from needing to change their persistent password as frequently. However, this means that if someone steals your phone, they’ll be able to get a one-time password and access your account. Users should make sure to remove phone numbers from their account which they don’t have access to, such as the number of a lost phone until they have called their mobile phone operator and remotely deactivated the phone’s sim card.
The new security information feature allows users to enter additional email addresses, mobile phone numbers, and security questions which can help Facebook verify a user’s identity. This way a user can be swiftly returned control of their account should they lose access. While there is currently no link to the security information page from the Account->Account Settings->Settings->Account Security panel, users can visit the page at the URL http://www.facebook.com/update_security_info.php. Users will also be regularly prompted to update this info upon logging in.
Recently some users have been locked out of their account by the photo identification verification security feature. The feature requires users to name friends based on the profile pictures of those friends, but profile pictures don’t always show a user’s face, and some users have many friends from social games who they couldn’t identify from a photo. Security information should give users alternative methods of reclaiming their accounts. Registering additional email addresses also prevents malicious parties from using unregistered addresses to create a fake account posing as you.
Lastly, all users can now terminate active Facebook sessions on other machines. This way, if a user forgets to log out of their account after signing in on a friend’s phone or a public computer, they can log out remotely. Users can view and terminate active sessions via the Account->Account Settings->Settings->Account Security panel.
As users increasingly invest time, establish a social graph, store credit card info, deposit money through Facebook Credits, and maintain their reputation through their Facebook account, losing access becomes more costly. Facebook is trying to offer better account security, balanced against the introduction of new security threats and erroneous lockouts.