Experts: Facebook’s One-Click Login Is A Major Security Risk

Have you ever forgotten your Facebook password? If you have, there’s a good chance you received an email from the company featuring its One Click login feature. It’s not widely known, but Facebook sometimes sends an email to dormant users that lets them log back in to their accounts with one click — and no real security measures. And, according to experts, that could create serious issues.

Many users are confused by these emails, which appear to be sent from a suspicious source. (They arrive from an email address named “@facebookmail.com”.) And while these communications aren’t an actual scam, they do pose a security risk. For instance, it’s unclear when the One Click link expires, and experts advise this sort of reset expires within minutes. There’s also no way for Facebook to know if the email address they have on file is still valid, or if someone else could have access to the account. All in all, experts say, the practice violates a host of common-sense privacy measures.

“Sending a single-click login link via email is bad enough but also sending that email unsolicited is an extremely poor security practice,” security consultant Mark Burnett told The Ringer. “These emails go against all of the best practices we in the security industry have for years tried to instill in companies.”

It makes sense that Facebook wants to reengage users who have stopped logging in to the platform, but there has to be a better — and safer — way than this.