Facebook Adds One-Time Password Security Feature to Protect Accounts

Facebook has added a one-time password feature as part of an effort to address account security.

The social network site is gradually rolling out the ability to have Facebook text a one-time password to users concerned about working on machines other than their normal computers, such as public computers in hotels, cafes or airports.

"Simply text 'otp' to 32665 on your mobile phone, and you'll immediately receive a password that can be used only once and expires in 20 minutes," blogged Jake Brill, product manager for Facebook's integrity team. "In order to access this feature, you'll need a mobile phone number in your account. We're rolling this out gradually, and it should be available to everyone in the coming weeks."

According to a Facebook spokesperson, for a user to confirm a mobile phone number added to their account belongs to him or her, the user would have to enter a code back on Facebook that the site sends them via SMS. There is currently no provision, however, to stop a person with someone else's phone from intercepting the password if they can access the person's text messages.

"Unfortunately we can't protect against all scenarios," the spokesperson said. "If someone else has your phone and wants to do malicious things, there are a lot of different" things they can do.  

Facebook is not the only site to go the SMS route for account security. Microsoft recently did something similar for Hotmail to enable users to reset their account passwords through their mobile phones.

In addition to the new password feature, Facebook also announced it has finished rolling out the remote logout capability to the site's 500 million users.

"These session controls can be useful if you log into Facebook from a friend's phone or computer and then forget to sign out," Brill blogged. "From your Account Settings, you can check if you're still logged in on other devices and remotely log out. Under the Account Security section of your Account Settings page you'll see all of your active sessions, along with information about each session. In the unlikely event that someone accesses your account without your permission, you can also shut down the unauthorized login before resetting your password and taking other steps to secure your account and computer."

In addition, Facebook said it will begin regularly prompting users to keep their security information updated.

The latest security announcements follow another privacy flap last week that occurred when Facebook announced a new Groups feature to allow users to create small groups of friends to share information with. The Groups are set to "closed" by default, meaning the names of members are visible to the public but content posted to the group is not. Other settings include "secret," where the names and content are hidden, and "open," where everything is visible.

Controversy broke out, however, due to Facebook's decision not to give users the power to approve whether or not a friend adds them to a group. According to Facebook's Help Center, "you can only be added to a group by one of your friends. When a friend adds you to a group, a story in the group (and in News Feed for Open or Closed groups) will indicate that your friend has added you to a group."

Users can leave groups at any time, and if they choose to do so, they can't be re-added by someone else unless they request it, Facebook added.