The ‘instant verification’ feature allows users to log into services using their phone number without having to receive a text message
Facebook has introduced a mobile login feature that allows users to take advantage of two-factor authentication without having to receive a text message.
Facebook made the change to Account Kit, a developer kit that implements features for logging into services via phone number and email, and which works with Facebook’s main login system.
If the new “instant verification” feature is switched on, when a user enters their mobile phone number into an app from an Android device, the service checks to see if the number matches the verified phone number listed on the person’s Facebook profile.
This can only be done if the user is logged into the Facebook application on the same Android device, Facebook software developer Ethan Goldman-Kirst said in a blog post.
If there is a match, Facebook completes the verification without sending a one-time password via SMS.
“If there isn’t a successful match, a SMS will be sent with a verification code to complete the sign-in,” Goldman-Kirst wrote. “This feature is used only to improve the verification process in a secure way and no additional Facebook information is shared with the app.”
He said the feature is intended to “streamline the login process and rely less on SMS for those signing in with their phone number”. The company posted a video demonstrating how the feature works.
The change is intended to allow two-factor authentication to be used with less inconvenience to users, but one industry observer warned that the ease of use brings additional security risks with it.
An attacker could target someone’s mobile phone and abuse instant verification to log into multiple web accounts to collect their personal information, said security journalist David Bisson in a blog post.
An attacker who had gained access to a person’s Facebook account could change the saved mobile phone number, preventing the user from accessing accounts elsewhere, he said.
“To me, Instant Verification and Account Kit both feel a lot like reusing a single password across multiple accounts,” he wrote. “It’s convenient for sure, but it comes with a single point of compromise: a mobile phone and its corresponding contact number. If mobile users aren’t already dedicating enough attention to protecting their mobile devices or web accounts, is streamlining mobile logins using instant verification the best answer?”
Do you know all about security in 2016? Try our quiz!