Facebook's 2FA accused of violating user privacy

Facebook's enhanced security feature has received public outcry and not for the first time

A viral tweet has sparked further condemnation of Facebook after one user reported an inability to publicly unlist his phone number that the social network indexed following two-factor authentication (2FA) security implementation.

The website encourages its users to set up 2FA account protection which requires a phone number. This isn't necessarily a bad thing, many sites that hold sensitive account information prompt users to adopt 2FA.

The real kicker here is that Facebook takes the phone number you use to activate 2FA protection, ties it to your account and then the number can be used to find your profile in the 'Look Up' feature of the site.

People are speaking out against the company because users cannot opt-out of having the number used to index the profile. The only workaround to the issue is to change the account privacy settings to ones that only permit friends to find you through the site's search function.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

Jeremy Burge, the Twitter user that exposed the issue, took to the site to express his disdain for the practice saying that "using a phone number to sign up for services has been the single greatest coup for the social media and advertising industries".

It's "one unique ID that is used to link your identity across every platform on the internet", he added.

Users can hide their phone number if it's linked to their account so other users and friends cannot see it. But it's still possible to discover user profiles in other ways, such as "when someone uploads your contact info to Facebook from their mobile phone," according to a Facebook help article.

The report comes amid more serious privacy concerns for Facebook, but this won't be overlooked, considering that something very similar was reported last year by Gizmodo.

Numbers associated with a Facebook account were used for targeted ads within weeks of adding them to the site, the investigation showed.

"In April 2018, we removed the ability to enter another person's phone number or email address into the Facebook search bar to help find someone's profile," said a Facebook spokesperson. "Today, the 'Who can look me up?' settings control how your phone number or email address can be used to look you up in other ways, such as when someone uploads your contact info to Facebook from their mobile phone. We appreciate the feedback we've received about these settings and will take it into account."

Advertisement - Article continues below

Amid the outcry from industry leaders, people are now urging others to pursue different methods of account security.

Google's Authenticator App is one third-party offering that could be used to mitigate such issues. Facebook doesn't require a phone number to enable 2FA, although it's common practice for phone numbers to be used.

It's an attractive concept: account security traded for a phone number - there's no need to sign up for an outside service and it's something that you likely have memorised so you don't even have to get up from your chair.

But, the thing is: 2FA and enhanced account security are taken seriously, even by those who can't be bothered to sign up for an outside 2FA service. Some think that using a trusted security measure to violate the privacy expectations of users is a step too far.

Advertisement
Advertisement - Article continues below

Zeynep Tufecki, security expert and academic likened the findings to the controversial anti-vaccination movement.

Facebook is now facing as many as 10 GDPR probes, according to reports last week. A leaked internal memo has also surfaced recently which showed that the company lobbied against a proposed data directive in 2012 and 2013 which later became the GDPR.

Featured Resources

Digitally perfecting the supply chain

How new technologies are being leveraged to transform the manufacturing supply chain

Download now

Three keys to maximise application migration and modernisation success

Harness the benefits that modernised applications can offer

Download now

Your enterprise cloud solutions guide

Infrastructure designed to meet your company's IT needs for next-generation cloud applications

Download now

The 3 approaches of Breach and Attack Simulation technologies

A guide to the nuances of BAS, helping you stay one step ahead of cyber criminals

Download now
Advertisement

Most Popular

Visit/operating-systems/25802/17-windows-10-problems-and-how-to-fix-them
operating systems

17 Windows 10 problems - and how to fix them

13 Jan 2020
Visit/microsoft-windows/32066/what-to-do-if-youre-still-running-windows-7
Microsoft Windows

What to do if you're still running Windows 7

14 Jan 2020
Visit/policy-legislation/general-data-protection-regulation-gdpr/354577/data-protection-fines-hit-ps100m
General Data Protection Regulation (GDPR)

Data protection fines hit £100m during first 18 months of GDPR

20 Jan 2020
Visit/web-browser/30394/what-is-http-error-503-and-how-do-you-fix-it
web browser

What is HTTP error 503 and how do you fix it?

7 Jan 2020