Facebook Moves to Kill App Passwords

SecurityFacebook is making it easier for developers to build post-password apps.

The social network introduced Account Kit this week at its F8 developer conference. Using the Account Kit SDK, app developers and site owners can let users log in without passwords—instead, they can use their phone number or email address—or Facebook login (an existing feature). It does not require people to have a Facebook account.

Chris Webber, security strategist for Centrify, said that the move will help users learn how to use mobile authenticators.

“With more and more consumer companies leveraging mobile devices for SMS-based authentication, users are going to grow familiar with this new authentication paradigm more quickly—which is great for both consumer and business-related security,” he said via email. “I’m sure that we’ll see cranky nay–sayers commenting across the internet. They’ll try to sound smart and assert that mobile devices can be lost or stolen, or that people can be out of coverage range and not receive an SMS notification, and so mobile authenticators have drawbacks. These people are missing the point entirely, and don’t understand that passwords alone provide next to no protection in today’s world. Mobile authentication raises the bar for security, and makes it much harder for attackers.”