Skip to content

Mobility, Messaging, and More

Main navigation
William Dudley April 12, 2016 Authentication-MFA

Initial Thoughts on Facebook’s Account Kit and Why It Could Be Trouble

This post first appeared on my SAP blog on April 12, 2016.


At the 2016 Facebook’s F8 Developer’s conference, a new no-password login solution was announced called Account Kit.  Account Kit is designed to be an alternative login facility for people who either don’t want to use a social login such as Facebook or a non-password login. Users are given a choice between either email or their mobile phone number as their “identity.”  After providing one or the other, a one-time code is sent via email or SMS to their mobile device.  Access to the account is then granted.

facebook account kit 1.png

I initially thought this was Facebook’s way of usurping the GSMA solution called Mobile Connect – an alternative to the one-button Facebook login. But upon further reflection, it is not.  As the GSMA site notes: “Mobile Connect is a secure universal log-in solution. Simply by matching the user to their mobile phone, Mobile Connect allows them to log-in to websites and applications quickly without the need to remember passwords and usernames.”  So, that sounds a lot like Facebook Account Kit on the surface.

Let’s dig a little deeper.  First off and foremost, Mobile Connect does not share any information with enterprises / sites (AKA “service providers”) without explicit permissions. No such assurances are in Account Kit. In fact, the service provider (e.g. site or app using Account Kit) has complete access to the Email Address or Phone Number the end-user provided as well as the Facebook-generated account ID (which would not overlap with a Facebook social account ID).  Bottom line, it is certainly not an anonymous login. While users don’t have to have a Facebook social account (like is required for the one-button Facebook login button that is common), it is unclear how Facebook will use the acquisition of all of these phone numbers and email accounts that don’t have an associated Facebook account.

Now it should be noted that Account Kit is free for up to 100K confirmation SMS per month; however, most sites/apps will quickly exceed that if they achieve any prominence, whatsoever.  Also, users must continually re-provide their phone number/email and receive the code each time they log in. This is not a one-button login for subsequent logins, after the initial registration (unlike the Facebook login, Mobile Connect, and other one-button logins). Some of the initial press was comparing Account Kit to Twitter’s Digits – a similar solution; however, Digits also provides some higher-security options such as a 2nd-step verification code among others.

Facebook Account Kit can be characterized as the 2nd-part of two-factor authentication without the first factor – something you know and only you know – a password.  This is not a secure login. I’m a little concerned that people are swapping convenience for security. Imagine a non-passcode locked phone with numerous apps with accounts set up using Account Kit.  Information in those accounts or associated with those accounts would be wide open, should that un-secured mobile device be stolen. If app/website providers are going to offer this, they are also vulnerable.  Account Kit, is at best, one-factor authentication – leveraging something you have – the mobile device. In today’s environment of privacy and security, I’m surprised this solution is as vulnerable as it is less secure than a user-id and password. Just because both of these password-free login solutions send a one-time code via SMS (a very valid side-channel for true 2FA solutions), doesn’t make them a full two-factor authenticated and secure login solution.

That said, the vulnerabilities are not limited Account Kit.  As noted, Twitter Digits is quite similar; however, it too has the same issues should an app/website not implement additional security measures. These days, if any site or app requires account creation where something is for sale, that means that account should be locked down tight – protecting the account which might contain financial instruments to enable purchasing as well as private information about the users. These password-free, single-factor login solutions are convenient, but they lack significant security and can end up harming the user and the business that implemented it.

Share this:

  • Twitter
  • Facebook

Like this:

Like Loading...

Related

Posted in Authentication-MFA and tagged 2FA, Authentication, Facebook, Facebook Account Kit, Mobile Connect. Bookmark the permalink.

iThere are no comments

Add yours

Leave a Reply Cancel reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. ( Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. ( Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. ( Log Out /  Change )

Cancel

Connecting to %s

Follow Me

  • Twitter
  • LinkedIn

Enter your email address to subscribe to Mobility, Messaging, and More and receive notifications of new posts by email.

Categories

  • Authentication-MFA (11)
  • COVID-19 (2)
  • Devices (25)
  • MMS (4)
  • Mobile First (5)
  • Network (26)
  • Payments (4)
  • Predictions (20)
  • RCS (21)
  • SMS (50)

Tags

2FA 5G 5G Architecture 5G SMS 5G Spectrum 10DLC 2019 Predictions 2020 Predictions A2P SMS Android Android Pay Apple Apple iPhone Apple Pay Apple Wallet Apple Watch Authentication Business Messaging Business Trends CCMI Chatbots Conversational Engagement COVID-19 CPaaS Devices Digital Privacy Facebook Messenger Google Guest GroupMe GSMA iMessage iOS IoT iPhone iPhone 5 iPhone 12 IPX LTE LTE-Advanced LTE Roaming M&A Messaging MFA Mid-Band MMS Mobile Mobile Connect Mobile First Mobile Networks Mobile Payments Mobile Phone Roaming Multi-channel Messaging MWC NFC NUVO NUVO Messaging OTT OTT Messaging P2P SMS Political Texting Predictions RCS Regulations Robocalls Sender ID SMS Text Alerting Texting The Campaign Registry Universal Profile VoLTE Wearables WeChat WhatsApp Wireless Emergency Alerts

Archives

Blogroll

  • GBU Innovation – Podcast site GBU Innovation – Podcast site
  • My SAP Blog site My SAP Blog site
  • Sinch Blog Sinch Blog
  • The Future of Customer Engagement & Experience The Future of Customer Engagement & Experience
  • TJ's Blog: Software, Startups & Simplicity TJ's Blog: Software, Startups & Simplicity

Follow me on Twitter

My Tweets
Website Powered by WordPress.com.
  • Home
Secondary navigation
  • Search

Post navigation

Episode IX – My 2016 Mobile Industry Predictions
For SMS messaging, getting routing right is important

Begin typing your search above and press return to search. Press Esc to cancel.

  • Follow Following
    • Mobility, Messaging, and More
    • Already have a WordPress.com account? Log in now.
    • Mobility, Messaging, and More
    • Customize
    • Follow Following
    • Sign up
    • Log in
    • Copy shortlink
    • Report this content
    • View post in Reader
    • Manage subscriptions
    • Collapse this bar
Privacy & Cookies: This site uses cookies. By continuing to use this website, you agree to their use.
To find out more, including how to control cookies, see here: Cookie Policy
%d bloggers like this: