To Thwart Keyloggers, Facebook Introduces One-time Passwords

Worried about logging into Facebook from a strange computer? There's now a way to get into the popular social network without entering your regular Facebook password.

It's called a temporary password, and Facebook announced the new service on Tuesday.

The idea is to make it "safer to use public computers in places like hotels, cafes or airport," said Facebook Product Manager Jake Brill in a blog post. "If you have any concerns about security of the computer you're using while accessing Facebook, we can text you a one-time password to use instead of your regular password."

The service is being rolled out gradually to Facebook users and will be available worldwide in the next few weeks.

To use it, users must list their mobile phone numbers with their Facebook accounts. They can then text the letters "otp" to the number 32665 from their phones. Facebook sends back a temporary password that is good for 20 minutes.

The idea is to protect users in the event that a computer has been hacked and someone has installed password-stealing keylogging software on it. Instead of stealing a permanent password, the keylogger will record only a temporary password that can't be used again.

Facebook has been playing a cat-and-mouse game with scammers over the past few years as criminals find new ways to misuse the social network.

Last month Facebook introduced new ways for users to track which computers have been used to log into their accounts and to remotely log out of machines that shouldn't have access to them.

That feature was also rolled out gradually and is now available to all users, Brill said.

To stay ahead of the scammers, Facebook plans to increasingly prompt users to make sure that their contact information and security questions are up to date. This is the kind of data that can be used to recover a Facebook account if scammers manage to steal a user's password, so keeping this security information updated will make it easier for legitimate users to regain control of their accounts in case of a compromise.

Robert McMillan covers computer security and general technology breaking news for The IDG News Service. Follow Robert on Twitter at @bobmcmillan. Robert's e-mail address is robert_mcmillan@idg.com

Subscribe to the Security Watch Newsletter

Comments