Facebook Introduces ‘Instant’ Two-Factor Authentication

Facebook has introduced a mobile login feature that allows users to take advantage of two-factor authentication without having to receive a text message.

The move is the latest effort by online services providers to find a balance between security and practicality at a time of increasingly frequent and large-scale data breaches.

Instant verification

Facebook made the change to Account Kit, a developer kit that implements features for logging into services via phone number and email, and which works with Facebook’s main login system.

If the new “instant verification” feature is switched on, when a user enters their mobile phone number into an app from an Android device, the service checks to see if the number matches the verified phone number listed on the person’s Facebook profile.

This can only be done if the user is logged into the Facebook application on the same Android device, Facebook software developer Ethan Goldman-Kirst said in a blog post.

If there is a match, Facebook completes the verification without sending a one-time password via SMS.

“If there isn’t a successful match, a SMS will be sent with a verification code to complete the sign-in,” Goldman-Kirst wrote. “This feature is used only to improve the verification process in a secure way and no additional Facebook information is shared with the app.”

Security risk?

He said the feature is intended to “streamline the login process and rely less on SMS for those signing in with their phone number”. The company posted a video demonstrating how the feature works.

The change is intended to allow two-factor authentication to be used with less inconvenience to users, but one industry observer warned that the ease of use brings additional security risks with it.

An attacker could target someone’s mobile phone and abuse instant verification to log into multiple web accounts to collect their personal information, said security journalist David Bisson in a blog post.

An attacker who had gained access to a person’s Facebook account could change the saved mobile phone number, preventing the user from accessing accounts elsewhere, he said.

“To me, Instant Verification and Account Kit both feel a lot like reusing a single password across multiple accounts,” he wrote. “It’s convenient for sure, but it comes with a single point of compromise: a mobile phone and its corresponding contact number. If mobile users aren’t already dedicating enough attention to protecting their mobile devices or web accounts, is streamlining mobile logins using instant verification the best answer?”

Do you know all about security in 2016? Try our quiz!

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

View Comments

  • Typical security 'experts' at work. You either use two factor authentication or you don't. This watering down is just plain silly to say the least, lot better to just stick with secure password, and offer proper two factor authentication for those who want the extra security. Not everyone will!

Recent Posts

Marriott Agrees To Pay $52 Million To Settle Data Breaches

To settle US federal and state claims over multiple data breaches, Marriott International agrees $52…

2 days ago

Tesla Shares Drop After Cybercab Unveiling

Mixed reactions as Elon Musk hypes $30,000 'self driving' robotaxi called Cybercab, as well as…

2 days ago

AMD Launches New AI, Server Chips To Expand Nvidia Challenge

AMD unveils new AI and data centre chips as it seeks to improve challenge to…

3 days ago

Chinese Hackers Breach US Wiretap Systems – Report

AT&T and Verizon among US broadband providers reportedly hacked to target American government wiretapping platform

3 days ago