Why Facebook's Password Killer Is Thriving

The death of passwords looms, but will the public like what comes next?

Getty Images / Justin Sullivan

Facebook’s plan to kill passwords is catching on with software developers.

The company announced today that Account Kit, a tool which allows developers to send one-time passwords to their users via text messages, is being used in 26 countries and has a conversion rate of up to 90 percent among its users.

To celebrate that success, Facebook is waiving the cost of sending those text messages until August 2018. This means that more developers will be able to build Account Kit into their apps without having to worry about paying for the tool — a gambit which could help Account Kit become even more popular.

This is what Account Kit looks like in action.


The idea behind Account Kit is that doing away with passwords is good for consumers because it makes them more secure, good for developers because it makes the sign-up process less tedious, and good for Facebook because it gets to establish itself as an integral part of every mobile app that relies on the tool.

“We’ve tried different phone number sign up products and our data shows that Account Kit increased our conversion rates from [56 percent to 95 percent],” Filipe Santos, the director of international business for the popular MomentCam photo app, said in a statement. “Using both Facebook Login and Account Kit has enabled us to provide a safe and convenient way for MomentCam fans to register.”

Account Kit has come along at the right time. Many companies are trying to kill the password, but they’re doing so with biometric safeguards, and a recent survey revealed that many people don’t trust those tools.

And well they shouldn’t, as one police department’s effort to 3D-print a dead man’s fingers to access his phone shows. Biometric security is easy to undermine and, unlike passwords or phone numbers, pretty hard to change.

But that isn’t to say that Account Kit doesn’t have its own problems. The service relies on sending text messages to people who enter one-time passwords to get into a service. If everything is working like it’s supposed to, users get the benefits of unique passwords without actually having to remember the damned things.

The problem is that dedicated hackers can undermine these protections, as the Rocket Kitten hacking group showed when it compromised Telegram accounts by intercepting text messages containing these codes.

As more people use Account Kit to sign in to their favorite apps or websites, the messages sent from the tool will become even more attractive to anyone who wants to gain access to someone else’s accounts, and without changing the phone number associated with the account there’s little that can be done in response.

Still, the tool is becoming increasingly popular, and it will only continue to do so now that Facebook isn’t making developers pay for the text messages it sends. The death of passwords looms — now the question is whether or not people are going to be happy with whatever security mechanisms end up taking its place.

Related Tags