Skip to content

William Dudley

Strategic Consulting
Main navigation
  • Home
  • Frameworks
  • VaaS
  • Advocacy
  • Insights
  • About
  • Contact
William Dudley April 12, 2016 Authentication-MFA

Initial Thoughts on Facebook’s Account Kit and Why It Could Be Trouble

This post first appeared on my SAP blog on April 12, 2016.

At the 2016 Facebook’s F8 Developer’s conference, a new no-password login solution was announced called Account Kit.  Account Kit is designed to be an alternative login facility for people who either don’t want to use a social login such as Facebook or a non-password login. Users are given a choice between either email or their mobile phone number as their “identity.”  After providing one or the other, a one-time code is sent via email or SMS to their mobile device.  Access to the account is then granted.

facebook account kit 1.png

I initially thought this was Facebook’s way of usurping the GSMA solution called Mobile Connect – an alternative to the one-button Facebook login. But upon further reflection, it is not.  As the GSMA site notes: “Mobile Connect is a secure universal log-in solution. Simply by matching the user to their mobile phone, Mobile Connect allows them to log-in to websites and applications quickly without the need to remember passwords and usernames.”  So, that sounds a lot like Facebook Account Kit on the surface.

Let’s dig a little deeper.  First off and foremost, Mobile Connect does not share any information with enterprises / sites (AKA “service providers”) without explicit permissions. No such assurances are in Account Kit. In fact, the service provider (e.g. site or app using Account Kit) has complete access to the Email Address or Phone Number the end-user provided as well as the Facebook-generated account ID (which would not overlap with a Facebook social account ID).  Bottom line, it is certainly not an anonymous login. While users don’t have to have a Facebook social account (like is required for the one-button Facebook login button that is common), it is unclear how Facebook will use the acquisition of all of these phone numbers and email accounts that don’t have an associated Facebook account.

Now it should be noted that Account Kit is free for up to 100K confirmation SMS per month; however, most sites/apps will quickly exceed that if they achieve any prominence, whatsoever.  Also, users must continually re-provide their phone number/email and receive the code each time they log in. This is not a one-button login for subsequent logins, after the initial registration (unlike the Facebook login, Mobile Connect, and other one-button logins). Some of the initial press was comparing Account Kit to Twitter’s Digits – a similar solution; however, Digits also provides some higher-security options such as a 2nd-step verification code among others.

Facebook Account Kit can be characterized as the 2nd-part of two-factor authentication without the first factor – something you know and only you know – a password.  This is not a secure login. I’m a little concerned that people are swapping convenience for security. Imagine a non-passcode locked phone with numerous apps with accounts set up using Account Kit.  Information in those accounts or associated with those accounts would be wide open, should that un-secured mobile device be stolen. If app/website providers are going to offer this, they are also vulnerable.  Account Kit, is at best, one-factor authentication – leveraging something you have – the mobile device. In today’s environment of privacy and security, I’m surprised this solution is as vulnerable as it is less secure than a user-id and password. Just because both of these password-free login solutions send a one-time code via SMS (a very valid side-channel for true 2FA solutions), doesn’t make them a full two-factor authenticated and secure login solution.

That said, the vulnerabilities are not limited Account Kit.  As noted, Twitter Digits is quite similar; however, it too has the same issues should an app/website not implement additional security measures. These days, if any site or app requires account creation where something is for sale, that means that account should be locked down tight – protecting the account which might contain financial instruments to enable purchasing as well as private information about the users. These password-free, single-factor login solutions are convenient, but they lack significant security and can end up harming the user and the business that implemented it.

Related

Posted in Authentication-MFA and tagged 2FA, Authentication, Facebook, Facebook Account Kit, Mobile Connect. Bookmark the permalink.

iThere are no comments

Add yours

Leave a ReplyCancel reply

Follow Me

  • X
  • LinkedIn

Subscribe to Blog via Email

Enter your email address to subscribe to Mobility, Messaging, and More and receive notifications of new posts by email.

Categories

  • Authentication-MFA (12)
  • COVID-19 (2)
  • DeMystifying Messaging Series (7)
  • Devices (27)
  • MMS (16)
  • Mobile First (6)
  • Network (29)
  • Payments (6)
  • Predictions (22)
  • RCS (34)
  • SMS (66)

Tags

#Android #Apple #AppleRCS #RCS #RCSforApple #SMS #SMS #RCS #RCSforBusiness #10DLC #Messaging #A2P #Compliance #MessagingCampaigns 2FA 5G 5G Architecture 5G SMS 5G Spectrum 10DLC 10DLC Campaign Approval 10DLC Messaging 2011 SMS Statistics 2012 Olympics 2012 Olympics Opening Ceremonies 2013 Predictions 2014 Predictions 2015 Predictions 2016 Predictions 2017 Predictions 2018 Predictions 2019 Predictions 2020 Predictions 2021 Predictions 2022 Predictions 2025 Mobile Industry Predictions A2P Messaging A2P RCS A2P SMS Acquisitions AI Android Android Pay anti-spam Apple Apple Business Chat Apple HomePod Apple iPhone Apple Passbook Apple Pay Apple RCS Apple Wallet Apple Watch App Tracking Authenticaiton Authentication Barcelona Bard Blackberry Blockchain Business Messaging Business Texting Business Trends Campaign Verify Carrier Messaging CCMI Chatbots ChatGPT Cloud Texting Consent Consumer Messaging Contactless Payments Conversational Engagement Conversational Messaging COVID-19 CPaaS CPaaS Providers CSC Registry CSP Messaging Providers CTIA CTIA Guidelines CTIA Principles and Best Practices CTIA Shortcode Handbook Demystifying Mobile Messaging Devices Diameter Hubbing Diameter protocol Digital Markets Act Digital Privacy DMA EDGE Emergency Communications Facebook Facebook Account Kit Facebook Messenger FCC FCC Regulations fraud mitigation GCH Technologies GDPR Google Google Guest Google Jibe Google Wallet Grey Routes GroupMe GRX GSMA GSM MAP HellFreezesOver iMessage iOS iOS18 IoT iPhone iPhone 5 iPhone 5c iphone 5s iphone 6 iPhone 6s iPhone 12 IPX Joyn Landline SMS Long Codes LTE LTE-Advanced LTE Roaming LTE Roaming Architecture M&A MaaP MEF Mergers Message Routing Messages Plus Messaging Messaging Consent Messaging Opt0out Meta Metaverse MFA Mid-Band MMS Mobile Mobile Commerce Mobile Connect Mobile First Mobile IM Mobile Industry Consolidation Mobile Messaging Mobile Networks Mobile Operating Systems Mobile Payments Mobile Phone Roaming Mobile predictions 2013 Mobile Social Commerce Mobile World Congress Multi-channel Messaging MWC MWC 2012 MWC2017 Network Neutrality NFC NFTs NUVO NUVO Messaging Online security Opt-In Opt-out OTT OTT Messaging P2P Messaging P2P SMS Person-to-Person Messaging Podcast Political Mobile Messaging Political Texting Poshmark Predictions PSD2 PSD2 SCA RBM RCS RCS Business Messaging RCS Business Messging RCS Interoperability Regulation Regulations Reply STOP to End Rich Messaging Robocalls Samsung SAP Mobile Services SAP Mobile Services Operator Guide 2013 Security Sender ID SHAKEN/STIR Shopkick Short Codes Short Code vs. 10DLC showroom syndrome Signal SIGTran SIM Farms Smartwatch SMS SMS Compliance SMS Counting SMS Fraud SMS Interoperability SMS Registration Guide SMS spam SMS statistics SMS Traffic Social Commerce Soft Tokens Somos Somos TSS spam mitigation spam texts TCPA TCR Telegram Text Alerting Texting Text Messaging text messaging delivery problems The Campaign Registry Toll-Free Messaging toll-free texting Tornado Emergency Tornado Warning TOTP tugo UCaaS UK Olympics Universal Profile Verizon Messages VoLTE WEA Wearables WeChat WhatsApp WhatsApp. Wireless Emergency Alerts World Cup 2014

Archives

Blogroll

  • GBU Innovation – Podcast site A great weekly Podcast
  • The Future of Customer Engagement & Experience I was a contributor on this site. This is my contributions page.
  • TJ's Blog: Software, Startups & Simplicity
Privacy & Cookies: This site uses cookies. By continuing to use this website, you agree to their use.

To find out more, including how to control cookies, see here: Cookie Policy
Powered by WordPress.com.
Footer navigation
  • Legal Disclaimer
  • Privacy Policy
  • Copyright © 2026 William Dudley. All Rights Reserved.
Secondary navigation
  • Search

Post navigation

Episode IX – My 2016 Mobile Industry Predictions
For SMS messaging, getting routing right is important

Begin typing your search above and press return to search. Press Esc to cancel.

Discover more from William Dudley

Subscribe now to keep reading and get access to the full archive.

Continue reading