Facebook Introduces ‘Instant’ Two-Factor Authentication

Facebook has introduced a mobile login feature that allows users to take advantage of two-factor authentication without having to receive a text message.

The move is the latest effort by online services providers to find a balance between security and practicality at a time of increasingly frequent and large-scale data breaches.

Instant verification

Facebook made the change to Account Kit, a developer kit that implements features for logging into services via phone number and email, and which works with Facebook’s main login system.

If the new “instant verification” feature is switched on, when a user enters their mobile phone number into an app from an Android device, the service checks to see if the number matches the verified phone number listed on the person’s Facebook profile.

This can only be done if the user is logged into the Facebook application on the same Android device, Facebook software developer Ethan Goldman-Kirst said in a blog post.

If there is a match, Facebook completes the verification without sending a one-time password via SMS.

“If there isn’t a successful match, a SMS will be sent with a verification code to complete the sign-in,” Goldman-Kirst wrote. “This feature is used only to improve the verification process in a secure way and no additional Facebook information is shared with the app.”

Security risk?

He said the feature is intended to “streamline the login process and rely less on SMS for those signing in with their phone number”. The company posted a video demonstrating how the feature works.

The change is intended to allow two-factor authentication to be used with less inconvenience to users, but one industry observer warned that the ease of use brings additional security risks with it.

An attacker could target someone’s mobile phone and abuse instant verification to log into multiple web accounts to collect their personal information, said security journalist David Bisson in a blog post.

An attacker who had gained access to a person’s Facebook account could change the saved mobile phone number, preventing the user from accessing accounts elsewhere, he said.

“To me, Instant Verification and Account Kit both feel a lot like reusing a single password across multiple accounts,” he wrote. “It’s convenient for sure, but it comes with a single point of compromise: a mobile phone and its corresponding contact number. If mobile users aren’t already dedicating enough attention to protecting their mobile devices or web accounts, is streamlining mobile logins using instant verification the best answer?”

Do you know all about security in 2016? Try our quiz!

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

View Comments

  • Typical security 'experts' at work. You either use two factor authentication or you don't. This watering down is just plain silly to say the least, lot better to just stick with secure password, and offer proper two factor authentication for those who want the extra security. Not everyone will!

Recent Posts

Craig Wright Sentenced For Contempt Of Court

Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…

2 days ago

El Salvador To Sell Or Discontinue Bitcoin Wallet, After IMF Deal

Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…

2 days ago

UK’s ICO Labels Google ‘Irresponsible’ For Tracking Change

Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…

2 days ago

EU Publishes iOS Interoperability Plans

European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…

3 days ago

Momeni Convicted In Bob Lee Murder

San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…

3 days ago