Is Facebook’s one-time password system safe?

Graham Cluley
Graham Cluley
@[email protected]

Woman texting from cafe
Facebook announced a new feature yesterday, which claims to give you another way to keep your social networking account secure.

A one-time password is said by Facebook to:

"..make it safer to use public computers in places like hotels, cafes or airports. If you have any concerns about security of the computer you're using while accessing Facebook, we can text you a one-time password to use instead of your regular password."

Facebook explains that by sending an SMS text message of “otp” (one-time password, y’see?) to 32665 on your mobile phone, you’ll be sent a temporary password to your account that will expire after 20 minutes. Of course, you’ll need to have registered a mobile phone number with your account.

Sign up to our free newsletter.
Security news, advice, and tips.

That means that even if malware manages to grab your password as you type it in, it will only be valid for a short period of time.

The service isn’t yet rolled out to everybody (and it’s unclear to me whether it will work outside of the United States), but I have some concerns.

Mobile phone SMS

    1. How often have you mislaid your mobile phone? If you’re anything like me, quite often I’ll wager. If someone else is able to gain access to your phone (and you haven’t locked it with a password to prevent SMS texts being sent) than that’s an open door for mischief-makers to access your Facebook account. Of course, they would still need to know your email address – but if you leave your cellphone unattended in the workplace or at a social gathering then that shouldn’t be too difficult for an unwanted intruder to determine.

    2. Do you know if you’ve registered your mobile phone number on Facebook? Would you notice if someone had changed it? Imagine a scenario where some “fraper” changes the mobile number associated with your account to one to which they have access. That may mean that anytime they like they could access your Facebook account.

    3. If you believe a computer might not be secure why are you using it to access Facebook? A temporary password may stop keylogging spyware giving cybercriminals a permanent backdoor into your account, but it doesn’t stop malware from spying upon your activities online and seeing what’s happening on your screen. What’s so important to check on Facebook that you would risk using a PC that doesn’t belong to you, and whose security you’re unsure about?

Yes, there is a very real problem with Facebook users accessing their accounts from insecure computers, and having their credentials stolen as a result. And Facebook’s one-time password scheme does provide some protection against that.

But that doesn’t mean that the one-time password system guarantees 100% security, and indeed – under some circumstances – it could be exploited by people who want to hack into your account.

Maybe next time you’re in a cybercafe or sitting in front of an unknown computer you should just wait until you’re on a PC that you’re more confident has been kept up-to-date with anti-virus software and security patches. Now wouldn’t that be a good idea?

If you want to learn more about security threats on Facebook, don’t forget you can join the Sophos page on Facebook.

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.