Facebook Introduces One-time Passwords and Remote Log-out

Hot on the heels of my last post about Facebook’s Suspicious Login Tracking,the social networking site has just introduced two additional authentication/session security mechanisms. The first news item is the introduction of one-time passwords, with the aim of increasing account security for those who log into Facebook on public or shared computers.

The proposed one-time password mechanism would require you to register your mobile phone number with Facebook. You would then be able to text “otp” to 32665 (currently U.S. only), and Facebook would send back a single-use password for your account that expires after 20 minutes. This feature will become available in the coming weeks.

Although it’s a good idea in theory, and helps mitigate against malware or key loggers, it also makes targeted attacks more easy to perform. It is easy to lose one’s phone, or even leave it unattended. If an attacker can get to your phone for a minute, they may be able to get a one-time password for your account. How Facebook actually implements this remains to be seen.

The second feature they introduced, available now, is the ability to remotely sign-out a session. Remember that time you logged in to Facebook at your friend’s house, and forgot to log out, resulting in a slew of embarrassing posts and images being posted on your behalf? With this feature you may have been able to prevent that by logging in to Facebook and then killing that session. I think this is a great feature, and would be useful in other long-session-based services such as Gmail.

You can find this by going to Account -> Account Settings ->Account Security. Your current session will be showed under ‘Most Recent Activity’. If you see anything under ‘Also Active’ that you don’t recognise, just click ‘end activity’ and Facebook will delete the server-side session ID for that session.