

More Ways to Stay Secure (Facebook introduces one-time passwords, global logout) - Timothee
http://blog.facebook.com/blog.php?post=436800707130

======
gcr
This is not two factor authentication, this is merely trading one factor (your
password) for another factor (your telephone). In proper two-factor
authentication, you should be required to enter your real password into your
phone and THEN get a one-time password back out (your telephone is a trusted
device).

My teenage friends trade phones all the time and they constantly nab them out
of pockets, backs, purses, etc. for a few seconds. This change makes it
trivially easy to steal someone's credentials.

~~~
tptacek
Since they didn't call it two-factor authentication, it's not fair to whack
them for not implementing two-factor authentication. It's "I'm at someone
else's computer" authentication, and it's a fine idea.

Within the next 2 years, most everyone's phone will _already be logged in to
Facebook_ , as smartphones become as cheap as iPods, mooting the latter
concern. Regardless, if you can't safely use the feature, you'd be well
advised not to use it.

~~~
Groxx
I remember claims that, by now a couple years ago, cell phones would cost $10
and the batteries would last for weeks.

My phone dies in 3 days if I have bluetooth on, and it cost $60 for the one-
step-above-dirt phone after a 2 year contract got me a discount.

Also, how many people do you think are "well advised" of safely using security
features? Even simple ones? Who _don't_ see Facebook as one gigantic privacy /
security geyser? ie, non-security-aware-geek-types? This is a minor, arguable
security improvement and a _major_ feel-good for people who don't know any
better, and not much else.

~~~
gcr
You say that most people don't understand security, and unfortunately, you're
exactly right. So why do those who know better intentionally choose to make
things /less/ secure but market it as /increasing/ security?

------
cosgroveb
I was very pleasantly surprised to see the Activity in my account a few days
ago. I know Gmail got there first a long time ago but it's very nice to have.

Now if I ever use it... It is hard to get to. I find that I peek at my Gmail
activity more with the link on the bottom.

------
ammmir
otp is great stuff, but it's a long way from becoming mainstream if it's kept
hidden and difficult to use. first hurdle is getting people to understand why
they would want to use it.

on an unrelated note, is anyone tackling comment spam by ignorant humans
that's not relevant to the article? just look at the comments on the blog post
to see what i mean.

------
asmosoinio
\--- Simply text "otp" to 32665 on your mobile phone, [...]. We're rolling
this out gradually, and it should be available to everyone in the coming
weeks. \---

To everyone in what countries? I guess US users only?

~~~
abraham
I would presume anyone who has mobile support for Facebook.

------
SteveArmstrong
Doesn't this mean that if someone steals your phone, they can easily log into
your facebook and take over the account (change your real password and
e-mail)?

~~~
DavidSJ
If they have your phone, they can likely read your email and have your
password reset or email address changed anyways.

------
lwhi
So now your Facebook account is only as secure as your phone; after all, a
chain is only as a strong as the weakest link.

~~~
danielha
If someone stole my phone, the last thing I'd give a crap about is my Facebook
account.

When someone steals your phone, you can suspend your mobile service. You can
also disassociate the number from Facebook.

~~~
lwhi
Chances are you wouldn't even know your phone has gone missing.

The perpetrator 'borrows' your phone .. sends a one shot password request ..
logs in to your account and deletes the message. You find your phone where you
left it and are non-the-wiser.

------
ax0n
"Secure" and "Facebook" in the same headline. Please allow me to regain my
composure. To elaborate, I measure security by three metrics: Confidentiality,
Integrity, and Availability. Facebook has been fighting Confidentiality tooth
and nail since its inception. Therefore, I say Facebook wholly fails the
security test.

If you want confidentiality, you have to be certain to share only that which
you are comfortable being made totally public. This goes for information
written or spoken pretty much anywhere. Long gone are the days of ephemeral
communication.

For what it's worth, Facebook's Availability (uptime) is pretty good, and
these measures have the potential to improve Integrity, but only if
implemented and used properly both by Facebook and the end users.

~~~
tptacek
A nonsensical comment. Software security is one of the many things that can be
purchased using money. Facebook has a lot of money, and they have used it to
buy serious software security talent. I trust Facebook with my data more than
I trust WePay. And I like WePay.

~~~
Groxx
Trust them to _do what_ , precisely? Give it away for free, when they change
your security settings to "public" by default, while doing a good job at
preventing people from hacking in to get almost identical information?

~~~
ax0n
That was mostly my point to begin with. At best, these new "security" controls
prevent attackers from stealing my account and defacing my data. Facebook
loses the confidentiality battle and thus the war.

~~~
tptacek
So, we're not allowed to reason about the security of Facebook's actual
software, because you disagree with their business practices? Sorry, it simply
does not follow that because they don't revere your privacy as much as you do
that their service must be insecure.

~~~
ax0n
You're allowed to reason about the security of Facebook's software. I simply
posit that the security of their software makes little difference when they've
already taken a compromising stance with their business practices. Also, I
don't disagree with their business practices. It's their place. They can run
it however they like just as pg runs this place however he likes. I respect
that, and I compensate by being cautious (and wish more people would do the
same.)

Notice that throughout the entirety of this, I've stated my opinion. No more,
no less. I even lauded this move as a way to potentially increase Integrity
assuming proper implementation and use, yet I get buried.

