Facebook's 2FA accused of violating user privacy

Facebook's enhanced security feature has received public outcry and not for the first time

A viral tweet has sparked further condemnation of Facebook after one user reported an inability to publicly unlist his phone number that the social network indexed following two-factor authentication (2FA) security implementation.

The website encourages its users to set up 2FA account protection which requires a phone number. This isn't necessarily a bad thing, many sites that hold sensitive account information prompt users to adopt 2FA.

Advertisement - Article continues below

The real kicker here is that Facebook takes the phone number you use to activate 2FA protection, ties it to your account and then the number can be used to find your profile in the 'Look Up' feature of the site.

People are speaking out against the company because users cannot opt-out of having the number used to index the profile. The only workaround to the issue is to change the account privacy settings to ones that only permit friends to find you through the site's search function.

Jeremy Burge, the Twitter user that exposed the issue, took to the site to express his disdain for the practice saying that "using a phone number to sign up for services has been the single greatest coup for the social media and advertising industries".

It's "one unique ID that is used to link your identity across every platform on the internet", he added.

Users can hide their phone number if it's linked to their account so other users and friends cannot see it. But it's still possible to discover user profiles in other ways, such as "when someone uploads your contact info to Facebook from their mobile phone," according to a Facebook help article.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

The report comes amid more serious privacy concerns for Facebook, but this won't be overlooked, considering that something very similar was reported last year by Gizmodo.

Numbers associated with a Facebook account were used for targeted ads within weeks of adding them to the site, the investigation showed.

"In April 2018, we removed the ability to enter another person's phone number or email address into the Facebook search bar to help find someone's profile," said a Facebook spokesperson. "Today, the 'Who can look me up?' settings control how your phone number or email address can be used to look you up in other ways, such as when someone uploads your contact info to Facebook from their mobile phone. We appreciate the feedback we've received about these settings and will take it into account."

Amid the outcry from industry leaders, people are now urging others to pursue different methods of account security.

Advertisement - Article continues below

Google's Authenticator App is one third-party offering that could be used to mitigate such issues. Facebook doesn't require a phone number to enable 2FA, although it's common practice for phone numbers to be used.

It's an attractive concept: account security traded for a phone number - there's no need to sign up for an outside service and it's something that you likely have memorised so you don't even have to get up from your chair.

But, the thing is: 2FA and enhanced account security are taken seriously, even by those who can't be bothered to sign up for an outside 2FA service. Some think that using a trusted security measure to violate the privacy expectations of users is a step too far.

Zeynep Tufecki, security expert and academic likened the findings to the controversial anti-vaccination movement.

Facebook is now facing as many as 10 GDPR probes, according to reports last week. A leaked internal memo has also surfaced recently which showed that the company lobbied against a proposed data directive in 2012 and 2013 which later became the GDPR.

Featured Resources

Successful digital transformations are future ready - now

Research findings identify key ingredients to complete your transformation journey

Download now

Cyber security for accountants

3 ways to protect yourself and your clients online

Download now

The future of database administrators in the era of the autonomous database

Autonomous databases are here. So who needs database administrators anymore?

Download now

The IT expert’s guide to AI and content management

Your guide to the biggest opportunities for IT teams when it comes to AI and content management

Download now
Advertisement
Advertisement

Most Popular

Visit/mobile/mobile-phones/355239/microsofts-patent-design-reveals-a-mobile-device-with-a-third-screen
Mobile Phones

Microsoft patents a mobile device with a third screen

6 Apr 2020
Visit/server-storage/servers/355254/a-critical-flaw-in-350000-microsoft-exchange-remains-unpatched
servers

A critical flaw in 350,000 Microsoft Exchange remains unpatched

7 Apr 2020
Visit/security/cyber-security/355271/microsoft-gobbles-up-corpcom-domain-to-keep-it-from-hackers
cyber security

Microsoft gobbles up corp.com domain to keep it from hackers

8 Apr 2020