Everyday, on many different sites, people forget their passwords. And everyday, these sites respond to people’s “forgot password?” queries, using features like two-factor authentication to help log these poor souls back in. What most platforms don’t do is send cold emails to unsuspecting users asking them to log back in. But Facebook isn’t most platforms.
While Facebook’s One Click feature isn’t new, it’s rarely talked about—save for confused users trying to look up whether it’s a scam. It’s a valid question, particularly in light of Facebook’s most recent security breach, wherein hackers used a bug in the platform’s code to gain access to millions of users accounts. Experts say the hack will likely lead to a rise in phishing attacks. While One Click is in fact real and not a phishing scam, it is riddled with unsafe security practices—perhaps all in the name of driving Facebook user numbers. I reached out to Facebook to ask about when One Click was launched, and why. I didn’t receive answers to those specific questions, but after sending an example of a One Click email to the company, a representative confirmed it came from the social network. The rep also pointed me in the direction of Facebook’s Security Settings page, where users can confirm whether or not Facebook has sent them an email.
That tool is a helpful one, especially since users who receive a One Click access email from Facebook are greeted by the rather suspicious-looking “security@facebookmail.com” address. The email explains that Facebook has noticed the user was having trouble logging in. The note is accompanied by a button that reads: “Log In With One Click.” Click it, and the user will be automatically logged back into Facebook. (Facebook also asks users to let the company know if the unsuccessful attempt to login did not come from them.)
Everything about the One Click method seems scammy, from the “@facebookmail.com” email suffix to the password-less entry. “Sending a single-click login link via email is bad enough but also sending that email unsolicited is an extremely poor security practice,” Mark Burnett, a security consultant and author of Perfect Passwords: Selection, Protection, and Authentication, told me via email. For one, Facebook wouldn’t know if the recipient’s email address is still valid, or if other people aside from the user can access it. Also, says Burnett, “While a single-click link may be a minimally acceptable way to login in some cases, the window for which that link is valid should be very small, measured in minutes. [Facebook doesn’t] indicate in the emails when the link expires but it would need to be much longer than normal -- possibly several days or more -- to give users a chance to respond.”
Burnett says that it is rare for tech platforms to reach out to users who aren’t logging in—whether or not it’s because they forgot their password. Most login sites instead work like Tumblr, where those who can’t login enter the email address associated with the account and request a login link via email. It’s important, Burnett says, that the user initiated the request and that the link expires fairly quickly. Facebook offers this option to locked-out users, but it seems that One Click is an alternative to the safer user-initiated model. “Password resets should involve a well-established multi-step process that involves some form of soft authentication such as answering a question or providing information,” Burnett says. In other words, something more secure than merely clicking a button.
And it’s not only the messenger, but also the message itself that is troublesome. Burnett says that the One Click email shares similarities with phishing scams. “These emails go against all of the best practices we in the security industry have for years tried to instill in companies,” Burnett says. “Keep things such as domain names consistent, avoid login links, and clearly establish when you will contact users about their account.”
Receiving an unprompted email from Facebook is unusual: In fact, the social network said that rather than email users affected in its most recent security breach, it would instead drop a message atop of users’ News Feeds. Burnett says of One Click: “It’s almost as it it was designed by someone with no real security training.”
The answer to “Why One Click?” seems obvious: Facebook wants to retain users, perhaps more so now than ever, in the aftermath of #DeleteFacebook and a pattern of declining user numbers. A Bloomberg story from early this year investigated the many ways in which the social network is trying to keep users or woo them back. One man interviewed for the story had deleted Facebook from his phone and rarely logged in; eventually he got a One Click email. He hadn’t tried to log in, though, and he doubted anyone else had. “The content of mail they send is essentially trying to trick you,” [Rishi] Gorantala said. “Like someone tried to access my account so I should go and log in.”
Ringer writer Danny Heifetz had a similar experience, and was similarly suspicious. “I forgot my password, was annoyed, decided I was taking a break from Facebook, and stayed logged out,” he says. Only after repeated aggressive emails from Facebook with updates on what he was missing did he receive the One Click message saying he didn’t need his password after all. “So after a couple of weeks of begging me to log in, [Facebook] basically ignored passwords altogether. It blew my mind.”
Emmanuel Schalit, the CEO of Dashlane, a password management system that can be used in lieu of Facebook Connect (Facebook’s single-sign on tool that exists across the web) to login to various accounts, says that his company and Facebook are essentially trying to solve the same problem in different ways. “Facebook has this big, giant vault for hundreds of millions of users where they store everyone’s credentials in one big vault, which they control and secure,” he says. “And once they have done that, anytime a site or an app is compatible with the Facebook login method, then people can login without entering anything. It’s very convenient. The problem with it is if that one unique gigantic vault is breached, as just happened, then everybody’s credentials are leaked, and without you even knowing it somebody could be connecting to Uber or to some other app that uses the Facebook login method.” Dashlane takes a different approach, decentralizing user data so that only the user can access it. It’s more difficult and takes more computing power to run a decentralized system (which is one reason why Dashlane has paid options, while Facebook is free), but it’s altogether safer.
“You know, we also have users of Dashlane that stop being engaged. That happens with any product,” Schalit says. But Dashlane doesn’t send an email prompting users to click and log back in; by its very nature, it can’t. “If somebody has forgotten their password, we can’t log them back in. We can’t reengage them,” he says. “By definition, with a true identity platform, if you lose your password, you have to restart from scratch. We pay the price of that every day, but we accept that price because that’s the cost of truly having the trust of our users.”
Whether Facebook’s One Click is a desperate attempt to increase active user numbers, a method to alert users to outside login attempts, or a combination of the two, it eschews best security practices to accomplish its goal. “Their intent may not be bad, because it is true that lots of people forget their passwords,” Schalit says. “But the way they are going at it, especially after everything that has happened to Facebook, can raise some eyebrows.”