Facebook's 2FA accused of violating user privacy

Facebook's enhanced security feature has received public outcry and not for the first time

A viral tweet has sparked further condemnation of Facebook after one user reported an inability to publicly unlist his phone number that the social network indexed following two-factor authentication (2FA) security implementation.

The website encourages its users to set up 2FA account protection which requires a phone number. This isn't necessarily a bad thing, many sites that hold sensitive account information prompt users to adopt 2FA.

The real kicker here is that Facebook takes the phone number you use to activate 2FA protection, ties it to your account and then the number can be used to find your profile in the 'Look Up' feature of the site.

People are speaking out against the company because users cannot opt-out of having the number used to index the profile. The only workaround to the issue is to change the account privacy settings to ones that only permit friends to find you through the site's search function.

Jeremy Burge, the Twitter user that exposed the issue, took to the site to express his disdain for the practice saying that "using a phone number to sign up for services has been the single greatest coup for the social media and advertising industries".

It's "one unique ID that is used to link your identity across every platform on the internet", he added.

Users can hide their phone number if it's linked to their account so other users and friends cannot see it. But it's still possible to discover user profiles in other ways, such as "when someone uploads your contact info to Facebook from their mobile phone," according to a Facebook help article.

The report comes amid more serious privacy concerns for Facebook, but this won't be overlooked, considering that something very similar was reported last year by Gizmodo.

Numbers associated with a Facebook account were used for targeted ads within weeks of adding them to the site, the investigation showed.

"In April 2018, we removed the ability to enter another person's phone number or email address into the Facebook search bar to help find someone's profile," said a Facebook spokesperson. "Today, the 'Who can look me up?' settings control how your phone number or email address can be used to look you up in other ways, such as when someone uploads your contact info to Facebook from their mobile phone. We appreciate the feedback we've received about these settings and will take it into account."

Amid the outcry from industry leaders, people are now urging others to pursue different methods of account security.

Google's Authenticator App is one third-party offering that could be used to mitigate such issues. Facebook doesn't require a phone number to enable 2FA, although it's common practice for phone numbers to be used.

It's an attractive concept: account security traded for a phone number - there's no need to sign up for an outside service and it's something that you likely have memorised so you don't even have to get up from your chair.

But, the thing is: 2FA and enhanced account security are taken seriously, even by those who can't be bothered to sign up for an outside 2FA service. Some think that using a trusted security measure to violate the privacy expectations of users is a step too far.

Zeynep Tufecki, security expert and academic likened the findings to the controversial anti-vaccination movement.

Facebook is now facing as many as 10 GDPR probes, according to reports last week. A leaked internal memo has also surfaced recently which showed that the company lobbied against a proposed data directive in 2012 and 2013 which later became the GDPR.

Featured Resources

The ultimate law enforcement agency guide to going mobile

Best practices for implementing a mobile device program

Free download

The business value of Red Hat OpenShift

Platform cost savings, ROI, and the challenges and opportunities of Red Hat OpenShift

Free download

Managing security and risk across the IT supply chain: A practical approach

Best practices for IT supply chain security

Free download

Digital remote monitoring and dispatch services’ impact on edge computing and data centres

Seven trends redefining remote monitoring and field service dispatch service requirements

Free download

Most Popular

Apple MacBook Pro 15in vs Dell XPS 15: Clash of the titans

Apple MacBook Pro 15in vs Dell XPS 15: Clash of the titans

11 Oct 2021
Best Linux distros 2021
operating systems

Best Linux distros 2021

11 Oct 2021
HPE wins networking contract with Birmingham 2022 Commonwealth Games
Network & Internet

HPE wins networking contract with Birmingham 2022 Commonwealth Games

15 Oct 2021