Facebook Asking New Users for their Email Passwords as Verification

• New users were recently asked to provide Facebook with their personal email password.
• The platform claims that this information is not stored, but this has been done before with phone numbers.
• Facebook has now decided to remove the particular verification method from its platform.

This could be a piece scheduled for April 1, but unfortunately, it’s not. As a security researcher and software developer (e-sushi) noticed a couple of days back, Facebook has started asking for the passwords of the external email accounts belonging to new users, alleging safety and verification issues. This vulgar request is pushed to users who go through the process of signing up with the world’s most popular social media platform for the first time, with the associated message reassuring them that this is a one-time verification step and that they will be able to login automatically in the future.

https://twitter.com/originalesushi/status/1112496649891430401

Facebook may have thought that fixing their “broken” from a security and privacy standpoint two-factor-authentication system would be too much of a kerfuffle, so they thought of taking a shortcut instead and just plainly ask people to hand over their personal email passwords. Is this in line with Mark Zuckerberg’s vision on user privacy for the Facebook of tomorrow? Frankly, no one believed a word when this came out anyway. Is it too audacious for the company that stored millions of user passwords in plain text form to ask for email passwords? Last time, they only allowed about 20000 of their employees to access them, and so handing them over your personal email password should be ok right?

Apparently, many of the people who wanted to sign up with Facebook thought that it’s okay, trusting the tech giant no matter the platform’s long record of bad privacy and security approaches. Facebook claims that they are not storing these passwords anyway and that they actually offer alternative verification methods for the users who don’t want to give out their email password. New users who click on the “Need help?” button in the page’s corner may have a code sent to their phone or a verification link sent to their email. However, clicking on the “Need help?” isn’t an obvious way to override the email password handover step, and a name like “Alternative Methods?” would be much more straight-forward.

As this news has brought another wave of criticism for Facebook, they have decided to announce that they will be retracting the particular verification method once and for all. As they wrote: “We understand the password verification option isn’t the best way to go about this, so we are going to stop offering it.”

Would you give away your email password to join Facebook? Let us know what your limits are in the comments section beneath, and don’t hesitate to join the discussions on our socials, on Facebook and Twitter.