Facebook’s instant verification still relies on insecure SMS authentication

Facebook is attempting to reduce reliance its on SMS authentication for Account Kit, the ubiquitous account creation tool that lets you log into different apps using your account with the social media giant.

Instead of automatically sending a one-time password to verify a user, Facebook checks via instant verification if the user has the main Facebook app installed on that same device. If the phone numbers match, the sign in with the new app progresses. If not, the process reverts to SMS.

The stated goal is to make the entire sign-in process smoother. Mission accomplished on that front; no one wants to have to copy SMS codes, especially if phone service is spotty. Non-Facebook apps like Familonet, which shares physical locations between family members, reported an increased conversion rate after turning to Account Kit.

https://www.youtube.com/watch?v=b1nuhRfAFjw

SMS authentication, however, is relatively insecure. It can be spoofed, phished and surveilled. The National Institute of Standards and Technology warned public and private sector techies against using SMS authentication, but it remains in heavy use. Alternatives like Google’s Authenticator app are rising in popularity and authentication hardware like YubiKey saw increased sales in 2016. Twitter, the other social media behemoth, tried last week to enable more secure app authentication but made it impossible to disable password reset via SMS.

Instant verification is not being marketed by Facebook as a security boon but, somehow, it is being lauded on social media that way. In fact, it’s probably a neat little user experience boost. But SMS is still inextricably involved in Facebook’s instant verification, leaving a notable hole for anyone with a mind toward cybersecurity.