Is Facebook's one-time password system safe?

Filed Under: Data loss, Facebook, Mobile, Social networks

Woman texting from cafe
Facebook announced a new feature yesterday, which claims to give you another way to keep your social networking account secure.

A one-time password is said by Facebook to:

"..make it safer to use public computers in places like hotels, cafes or airports. If you have any concerns about security of the computer you're using while accessing Facebook, we can text you a one-time password to use instead of your regular password."

Facebook explains that by sending an SMS text message of "otp" (one-time password, y'see?) to 32665 on your mobile phone, you'll be sent a temporary password to your account that will expire after 20 minutes. Of course, you'll need to have registered a mobile phone number with your account.

That means that even if malware manages to grab your password as you type it in, it will only be valid for a short period of time.

The service isn't yet rolled out to everybody (and it's unclear to me whether it will work outside of the United States), but I have some concerns.

Mobile phone SMS

    1. How often have you mislaid your mobile phone? If you're anything like me, quite often I'll wager. If someone else is able to gain access to your phone (and you haven't locked it with a password to prevent SMS texts being sent) than that's an open door for mischief-makers to access your Facebook account. Of course, they would still need to know your email address - but if you leave your cellphone unattended in the workplace or at a social gathering then that shouldn't be too difficult for an unwanted intruder to determine.

    2. Do you know if you've registered your mobile phone number on Facebook? Would you notice if someone had changed it? Imagine a scenario where some "fraper" changes the mobile number associated with your account to one to which they have access. That may mean that anytime they like they could access your Facebook account.

    3. If you believe a computer might not be secure why are you using it to access Facebook? A temporary password may stop keylogging spyware giving cybercriminals a permanent backdoor into your account, but it doesn't stop malware from spying upon your activities online and seeing what's happening on your screen. What's so important to check on Facebook that you would risk using a PC that doesn't belong to you, and whose security you're unsure about?

Yes, there is a very real problem with Facebook users accessing their accounts from insecure computers, and having their credentials stolen as a result. And Facebook's one-time password scheme does provide some protection against that.

But that doesn't mean that the one-time password system guarantees 100% security, and indeed - under some circumstances - it could be exploited by people who want to hack into your account.

Maybe next time you're in a cybercafe or sitting in front of an unknown computer you should just wait until you're on a PC that you're more confident has been kept up-to-date with anti-virus software and security patches. Now wouldn't that be a good idea?

If you want to learn more about security threats on Facebook, don't forget you can join the Sophos page on Facebook.


You might like

One Response to Is Facebook's one-time password system safe?

  1. Mark ยท 938 days ago

    By your logic, people should just cut the network connection from their computer and bury it in the back yard, because it *could* be insecure.

    If someone gets your mobile phone, your Facebook password, or their ability to reset it to a temporary password would likely not be at the top of your list of concerns.

    It is also not terrible hard to figure out if you have a mobile number registered in Facebook.

    What isn't clear is if your normal password still functions. If it does, it would be trivial to go disassociate your mobile number in Facebook to stop anyone from using this.

    As for "Why would you use any computer you think may be insecure?", that is rubbish as well. The prudent thing is to think that ANY computer you do not completely control is insecure. This simply thwarts password harvesting on a public computer or even your own computer on another network. There are perfectly valid reasons for using a public computer for facebook. If you are traveling and want to upload some pictures, send a message to someone letting them know you are ok since lots of people use FB messages instead of e-mail.

    Considering that Facebook is a free service, and few if any users would be willing to pay for let alone use a true one time password setup like SecureID, this is an excellent compromise for the vast majority of users.

    Seems to me that you are more against Facebook and regardless of what system they came up with, you would dismiss it. Most of your objections to this are based on things not even related to this like "Why would you do that", "What if you are like me and can't keep up with your phone?", none of which impact the validity of the system.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Graham Cluley runs his own award-winning computer security blog at, and is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Follow him on Twitter at @gcluley