Facebook has created a new feature called Instant Verification that is designed to help Android users login to online accounts and services without all the fuss of confirming their email address or dealing with a verification code sent by SMS.
Instant Verification is a new component of Facebook’s Account Kit, a complementary solution to Facebook Login which empowers mobile users to register and log into an app using either their phone number or their email address.
Facebook software developer Ethan Goldman-Kirst explains the new feature hinges on Android users registering with the same mobile phone number that’s attached to the Facebook mobile app they already have open and running on their Android device:
“When a person enters his/her phone number into an app using Account Kit, via Android services, we attempt a match with the verified phone number listed on the person’s Facebook profile. This is only possible if the person is logged into the Facebook app on the same device. If there is a match, we can complete the verification without sending a one-time password (OTP) via SMS, making the sign-in flow more seamless. If there isn’t a successful match, a SMS will be sent with a verification code to complete the sign-in. This feature is used only to improve the verification process in a secure way and no additional Facebook information is shared with the app.”
In other words, Instant Verification works to replace SMS as a means of two-step verification (2SV) for people who register for and log into a service using their mobile phone number.
You can view a demonstration of Instant Verification at work in a YouTube video:
Facebook no doubt believes its new feature will only strengthen the 97% conversion rate of Account Kit on sign-ups. An app called Familonet is said to have seen registrations improve by 40% alone thanks to Account Kit and another 5% through Instant Verification.
But as companies like Facebook begin to broaden the opportunities for mobile account creation, they also raise a number of security concerns.
For instance, malicious hackers could theoretically target someone’s mobile phone, abuse the Instant Verification feature to log into multiple web accounts, and collect their personal information for additional attacks.
Alternatively, if they gained access to someone’s Facebook account, they could mess with their victim by changing their profile’s saved mobile number, thereby preventing the victim from accessing any of their other accounts with which they registered on their devices.
To me, Instant Verification and Account Kit both feel a lot like reusing a single password across multiple accounts. It’s convenient for sure, but it comes with a single point of compromise: a mobile phone and its corresponding contact number.
So the reality is this: if mobile users aren’t already dedicating enough attention to protecting their mobile devices or web accounts, is streamlining mobile logins using Instant Verification the best answer?
Developers should muse over that question carefully before they decide to build Instant Verification into their apps.
Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.
One comment on “Instant Verification lets mobile users authenticate themselves without an SMS”
I agree, in light of recent guidlines issued by NIST using the same device you are accessing the account on to also authorise or verify identity retains the risk of a crook or other malicious entity gaining access to or obtaining that device.If this happens to be a PC or Mac in your own home or at work then maybe the risk reduces but on a mobile device the risk is greater.