On Facebook’s One Time Password Scheme
Regarding the post by Beth Jones over at Dark Reading today: Facebook One-Time Password: Gold or Pyrite?. Jones agrees with another commentator that this [Facebook one-time passwords) might not be a very wise idea, as losing phones could result in Facebook security breaches on the users’ accounts.
A few issues with this though. Firstly, the phone would have to be taken by a malicious attacker. I still have some faith in humanity left, and from what I’ve seen, the vast majority of people would simply try to get the phone back to its owner. Secondly, if the phone WAS taken by a malicious user, there is no guarantee that they would think to check if the phone was set up to use this new feature. Finally, more and more handheld devices are being coming with password-like PIN entry required to unlock.
What these commentators need to do is think about whether the net gain is going to outweigh the net loss. Yes, phone losses will result in some Facebook account compromises. However, the number of account break-ins that will be prevented due to fewer keylogging incidents will almost certainly outweigh that.
Note also, that many people use the same passwords on multiple accounts, and attacker know that. So the actual impact of minimizing keylogging attacks could be much larger than it might seem.
Joseph Marlin
