Facebook isn’t going to ask new users for their email password anymore, it said on Tuesday after a furious backlash.
A Twitter user called out the practice on Sunday, calling it “a HORRIBLE idea from an #infosec point of view.”
What Facebook called a “very small group of people” were getting prompted to enter the password for their personal email when they tried to verify new accounts, rather than the typical verification email or code sent to new users’ phones.
As The Daily Beast first reported, small print below the password field promised that “Facebook won’t store your password.”
You can certainly see why people might not have been reassured by that small text: passwords are supposed to be a secret you share with the service you create them for, and nobody else.
Besides which, Facebook has shown itself to be untrustworthy when handling passwords: one example is the passwords we use in two-factor authentication (2FA).
Another example is what Facebook admitted, a few weeks ago, are potentially hundreds of millions of places where it saved users’ passwords to disk in raw, unencrypted form.
Facebook dropped the request for email credentials like the hot potato it is, sending out this statement on Tuesday:
We understand the password verification option isn’t the best way to go about this, so we are going to stop offering it.
Swear an OAuth
Facebook didn’t name a specific number of people who got the request for email logins, but it did clarify why they were singled out: namely, the alternative verification was originally designed for people signing up on a web browser and using email providers that don’t support OAuth, an open-source protocol that acts as a key for logins.
OAuth is commonly used as a way to give websites or applications access to information on other websites but without handing over passwords. If you’ve ever signed into a website using Facebook, Google or Twitter, you’ve used OAuth.
Which email providers don’t use OAuth? I couldn’t find any corresponding list, though you can find a smattering of discussion online around whether Thunderbird does (it does support OAuth, though a few months ago, a Mozilla moderator noted in a support forum that the developers had recently changed the code related to OAuth, which may or may not have led to a cluster of people experiencing OAuth authentication failures).
At any rate, back to Facebook: on one hand, it’s facing demands that it cut down on fake accounts, be it to fend off Russians tampering with elections or the spread of fake news. On the other hand, people are put off by the notion of having to hand it the information it says it needs for authentication purposes.
What’s a poor, wildly popular, widely government-poked, admittedly privacy-fumbling platform to do?
Not THIS, Facebook said in the statement emailed to news outlets on Tuesday.
We can’t blame users for being suspicious, even if there’s no proof that Facebook was hoovering up their email login credentials. But it’s good that the platform stopped the practice (in favor of what we hope will be an alternative, reliable way to authenticate new users – one that doesn’t make people flinch and clutch their logins).
Asking for credentials is a bad look for Facebook, and it’s not a good habit for users to get into.