Facebook announced a new feature that claims to give users an additional method to keep their social networking account secure. Facebook claims that its new one-time password feature will make it safer to use Facebook on computers in public places such as hotels, cafes or airports – as users can now request to receive a temporary password by SMS message which expires after 20 minutes.
However, Graham Cluley, senior technology consultant at IT security product firm Sophos, warns that Facebook’s one-time password feature could in fact result in further security concerns for users.<br><br>"If you believe a computer might not be secure in the first place, why would you use it to access personal accounts such as Facebook? A temporary password may stop keylogging spyware giving cybercriminals a permanent backdoor into your account, but it doesn’t stop malware from spying on your activities online and seeing what’s happening on your screen," said Cluley. "Furthermore, if you’re anything like me, it’s likely that you’ve mislaid your mobile phone from time to time. If someone else can gain access to your phone and send a text message, your Facebook account will be unlocked."<br><br>"There’s a simple lesson that everyone needs to learn. Never visit websites like Facebook from computers that may not be running adequate anti-virus software or security patches. If you don’t trust the PC, don’t use it to access Facebook – even if you do have a temporary password," added Cluley. "Instead, wait until you have access to a trusted PC, rather than risking sharing your personal information with unknown others. There’s a real danger that the one-time-password system will be viewed as a green light by Facebook users to access their accounts from unsafe PCs."<br><br>More information about the risks can be found on Graham Cluley’s blog at:<br>http://www.sophos.com/blogs/gc/g/2010/10/13/facebooks-onetime-password
Following that announcement that Facebook plans to launch a one-time password option to their users, Stephen Howes, Founder of GrIDsure, the alternative to PINs and passwords. said: "Facebook’s move is definitely a positive one and it’s encouraging that major online brands are finally realising that passwords definitively do not provide adequate security in today’s online world. However, with an ‘opt-in’ service like this, Facebook is still leaving security in the hands of its users and the texting service might not be popular as it adds an extra layer of inconvenience to the login process. Facebook is suggesting that this additional feature will only be for logging on in public places, but my hunch is that most users will not want to wait the extra seconds required to receive a text message before accessing their list of friends.
“Ultimately, Facebook’s default system is still completely reliant on passwords, which they acknowledge can be easily compromised. These major online brands need to put in place holistic one-time passcode solutions that are easy to use, offer enhanced security to users and don’t cost too much for the service provider to implement.”
