Facebook Offering One-Time Passwords in Security Play


Facebook is beginning to roll out a set of security features that aim to put to rest concerns about accessing the service through computers and devices other than users' primary machines, such as a friend's computer or a terminal in a public lab.

This week, the world's biggest social network will begin rolling out a feature that will enable users to send a text message to a short code, and Facebook will respond with a password that will work for just a single session. Facebook is billing the one-time password feature as a helpful tool for users who are worried about checking their account on shared computers, such as those found in hotels or coffee shops.

Of course, members need to have a mobile phone number registered with Facebook for the service to work. Users can text "otp" to 32665 and Facebook will respond with a one-time password for the registered account that expires after 20 minutes.

"We're rolling this out gradually, and it should be available to everyone in the coming weeks," Facebook product manager Jake Brill wrote in a blog post announcing the new features.

Facebook's latest security push follows a major product launch earlier this month, when the company rolled out a set of new features aimed at giving users more control over how their information is collected and used. One of those features, an online dashboard that shows how various applications on the site are interacting with users' data, was designed to address some of the persistent privacy concerns that have dogged the company throughout its meteoric rise.

While Facebook has been through the wringer over privacy issues, it has also suffered its share of security concerns, with various waves of spam and malware passing across the social network. Those security issues, of course, are only exacerbated by careless or forgetful users, a condition Facebook looks to address, at least in part, with its new security features.

In addition to the one-time passwords, Facebook is giving users the ability to sign out remotely from their accounts. So if, for instance, a user signed into Facebook at a friend's house and wasn't sure if he remembered to sign out, he could check into his account settings and remotely log off.

"Under the Account Security section of your Account Settings page you'll see all of your active sessions, along with information about each session," Brill said. "In the unlikely event that someone accesses your account without your permission, you can also shut down the unauthorized login before resetting your password and taking other steps to secure your account and computer."

Facebook is also pledging to provide periodic reminders to its more than 500 million members to update their security information regularly. Users can access their security settings here.

Kenneth Corbin is an associate editor at InternetNews.com, the news service of Internet.com, the network for technology professionals.

Follow eSecurityPlanet on Twitter @eSecurityP.