Does Facebook’s OTP Really Protect Users?

Today there has been a very interesting post on Security-Faq regarding password security and new Facebook One time password solution. According to Lee:

What the team over at Facebook has come up with is a way to get a temporary password at anytime when you are on a wireless network that you do not trust.

While your normal password will still work, you are able to use this password on a temporary basis.
The way that you do this is to use the cell phone that you access your Facebook account with and type in the letters “otp” to the number 32665.

one-time password (OTP) is a password that is valid for only one login session. This method can provide security but it will not eliminate hackers from getting access to Facebook account. Using non secured network without encryption and other security measures will make us at the same situation.

20 minute is enough for having all sensitive information (including all pictures , friend list, videos..) and OTP will not protect users from MITM (man in the middle attack).

On the other side I prefer Google account security system as it provides users more information if there is a connection opened on users account from another location and monitor all latest ip’s logged into the session.

This account is open in 1 other location (xxx.xxx.xxx.xxx).
Last account activity: 2 hours ago on this computer. Details

I think that Facebook and other Social Network may add more security features than just OTP as it still not enough secure.

make sure you subscribe to my RSS feed!

Share
  • Pingback: Seeb()

  • Pingback: SecureArabia()

  • Pingback: Lee()

  • Pingback: Ross Macdonald()

  • Pingback: Tweets that mention Does Facebook’s OTP Really Protect Users? | SecTechno -- Topsy.com()

  • Anonymous

    Thanks for linking to my post Mourad.

    I thoroughly agree that OTP is far from the finished article in terms of security but do you not agree that it is a good step in the right direction and is a positive move from Facebook?

  • http://sectechno.com Mourad

    You are always welcome Lee

    Yes I agree with all what you are saying but dont you think that it will be better if Facebook fully support SSL instead of creating an OTP?

    this will decrease some applications functionality but it will really add security.

  • Pingback: Win Security()

  • Pingback: Mourad Ben Lakhoua()

  • Pingback: Bart P()

  • Anonymous

    Yes, SSL would be a better choice but, the reduced functionality would probably bother the average user far more than the increase in security :(

  • Pingback: Mourad Ben Lakhoua()

  • Pingback: Yesid Gonzalez()

  • Pingback: Lincoln Werneck()