Unless Facebook opts to add another factor of authentication, the recently announced one-time passwords are an easy “in” to gaining access to a Facebook account.

Currently, you are required to enter a password, something (hopefully) obscure that you know; this constitutes single-factor authentication – in this case, something you know. When you utilize the one-time password authentication password in Facebook, you are also submitting to a single-factor authentication scheme – in this case it is something you have.

Because both methods utilize only one method of authentication, they are relatively equal in strength. However, it can be argued that something you have is substantially more insecure than something you know. For example, “social engineering” is a mature practice designed to trick people into offering information they know that no one else knows. It comes in many flavors and can be quite effective, even fooling the “techiest” of people.

“Something you have” is probably one of the oldest notion of identification/authorization and has been compromised probably since the beginning of history. It is my opinion that it is easier to physically take something than to convince someone to offer personal information. So, with Facebook’s one-time passwords, if one would want to compromise an account, all that is necessary is the confiscation of someone’s phone for a very brief period of time (less than one minute). Seeing the phone of someone’s Facebook account that would be compromised, a quick grab, text, and read/remove is all that is necessary to log in to that account (within the given 20 minute window) without any knowledge of the owner.

How many people currently regard their phones as important to protect as their wallets? Next time you are out, look closely at the number of phones left at a table or otherwise readily available to be snatched.

Unless Facebook adds a second factor of authentication, don’t enable this behavior and give them your mobile phone number.