Skip to content

October 14, 2010


Facebook Introduces One-time Passwords and Remote Log-out

Facebook LogoHot on the heels of my last post about Facebook’s Suspicious Login Tracking,the social networking site has just introduced two additional authentication/session security mechanisms. The first news item is the introduction of one-time passwords, with the aim of increasing account security for those who log into Facebook on public or shared computers.

The proposed one-time password mechanism would require you to register your mobile phone number with Facebook. You would then be able to text “otp” to 32665 (currently U.S. only), and Facebook would send back a single-use password for your account that expires after 20 minutes. This feature will become available in the coming weeks.

Although it’s a good idea in theory, and helps mitigate against malware or key loggers, it also makes targeted attacks more easy to perform. It is easy to lose one’s phone, or even leave it unattended. If an attacker can get to your phone for a minute, they may be able to get a one-time password for your account. How Facebook actually implements this remains to be seen.

The second feature they introduced, available now, is the ability to remotely sign-out a session. Remember that time you logged in to Facebook at your friend’s house, and forgot to log out, resulting in a slew of embarrassing posts and images being posted on your behalf? With this feature you may have been able to prevent that by logging in to Facebook and then killing that session. I think this is a great feature, and would be useful in other long-session-based services such as Gmail.

Facebook Remote End Session

You can find this by going to Account -> Account Settings ->Account Security. Your current session will be showed under ‘Most Recent Activity’. If you see anything under ‘Also Active’ that you don’t recognise, just click ‘end activity’ and Facebook will delete the server-side session ID for that session.

1 Comment Post a comment
  1. Mar 22 2012

    Gmail has actually had this feature for quite a while. Just look at the bottom of your Gmail inbox, and you’ll see information about your last log-in. Click on the details link and a pop-up will display the last 10 logins, their associated IP address/location, and the last time activity occurred via that login.

    It will also reveal a button called “Sign out all other sessions”

Share your thoughts, post a comment.


Note: HTML is allowed. Your email address will never be published.

Subscribe to comments