Thursday, October 14, 2010


Two new security features on Facebook are welcome signs that the company takes privacy and security seriously, but for me they raise as many questions as they answer.
The main change is the addition of optional one-time passwords (OTP). If you're on a computer you don't trust, such as a kiosk or in a cafe, and you don't want to enter your password, you can request a one-time password (by texting "otp" to 32665 from a US mobile phone). The OTP is returned as a reply text message. Then user can then log in from any computer and the OTP is good for 20 minutes.
On the one hand I am impressed and tempted to ask why Facebook is able to do this when none of the major US banks can. On the other hand, there's a good reason why US banks don't implement one-time passwords exactly this way: If you were to lose your phone, even for a brief period, your account could be compromised.
Here's how it works: You go away, maybe to the bathroom, and leave your phone behind. Someone who knows your e-mail address picks up your phone and requests a one-time password. They can then log into your Facebook account from any computer for 20 minutes.
The theory behind one-time passwords in most cases is to add a second factor to authentication, not to replace the one factor with a different single factor. In security terminology the OTP adds something you have (your phone) to something you know (your password). Facebook is doing this to save you from having to enter your password on a strange computer, not to strengthen authentication.
They could mitigate the problem of lost phones by always issuing a challenge question, what they call your Security Question on the Account Settings page. Facebook hasn't yet responded to my questions about it. I'd test it myself, but one-time passwords are being rolled out gradually and haven't reached my account yet. (I'll update this entry if they reply.)
The other thing about the OTP setup in Facebook is that after you do it, you're set up by default to receive numerous other notifications via text message. Here's a notification for Facebook management: When users adds their mobile numbers on an account-recovery page, it's sleazy and self-serving to assume they want to be texted about non-security issues." Hear, hear, Rob.
The other major new feature is that you can disconnect other open Facebook sessions by going into your Account Settings-Account Security page. There you will find a list of sessions, potentially opened weeks ago on computers far, far away. It's possible for someone else on the computer to take control of that session and, thereby, your Facebook account.

Now you have the option of disconnecting those sessions, but I'm disturbed to find that they don't disconnect automatically after some fairly brief period. Being able to disconnect sessions is great, but mostly this change exposes the other poo security decisions by Facebook.
The last change Facebook announced is that they will regularly remind users, when they log in, to update their security information, such as their security question, mobile phone number (for identification in case the password is lost) and e-mail addresses (for the same reason).
But respecting the first two, more interesting changes, I have to agree with Rob Pegoraro again when he says that "...they suffer the generic defect of all optional security features: The people most likely to take these extra steps are often the ones less likely to get hoodwinked by a hack."

No comments: