Facebook’s Phone Number Policy Could Push Users to Not Trust Two-Factor Authentication

Using two-factor authentication, a security mechanism that requires a second step to login into an account other than the password, is widely considered an essential measure to protect yourself online. Yet, only a small percentage of people use this feature, mostly because it can be burdensome and it’s rarely required by default, leaving users with the responsibility to turn it on.

Now, Facebook may have given people yet another reason not to bother.

Last week, Emojipedia founder Jeremy Burge warned in a viral Twitter thread that anyone could look him up on Facebook using his phone number, which he provided to the social network in order to enable two-factor authentication.

This does not appear to be a new feature. Last year, academic researchers found that if you provided the social network with a phone only for the purpose of turning on two-factor, advertisers could then use that number to target you. In May of last year, Facebook stopped requiring a phone number for two-factor.

But people did not realize this was happening—and are pissed about it, calling it “outrageous,” and “unconscionable.”

What’s worse, it looks like there’s no way to completely remove your phone number that Facebook has collected. If you check your privacy settings, under “Who can look you up using the phone number you provided?” there are only three options: Everyone, Friends of friends, and Friends. “Everyone” is the default.

Even if you remove your phone number from the two-factor authentication settings page, nothing changes in the privacy settings, indicating Facebook still has your phone number.

This screw-up, intentional or not, could discourage adoption of two-factor authentication, leaving people at risk of getting hacked. Facebook’s decision to use phone numbers that were given to it for a specific security purpose for reasons other than security are a betrayal, and is training people more broadly that turning over more personal information to an internet company for security features could backfire.

“Phone number is such a private, important security link,” Zeynep Tufecki, a professor at the University of North Carolina, Chapel Hill, who has worked with dissidents and human rights activists, wrote on Twitter. “But Facebook will even let you be targeted for ads through phone numbers INCLUDING THOSE PROVIDED *ONLY* FOR SECOND FACTOR AUTHENTICATION. Messing with 2FA is the anti-vaccination misinformation of security.”

Harlo Holmes, a digital security trainer at Freedom of the Press Foundation, said that this is “a picture perfect example of a ‘user being the product.’”

Two-factor authentication “is essential, but you give up a lot of privacy in simply using the service,” she told Motherboard in an online chat.

We reached out to Facebook asking for comment, we will update if we hear back.

According to Alex Stamos, Facebook’s former chief security officer, “there was supposed to be a big project to segregate numbers,” while he was there but it apparently went nowhere.

“This isn’t a mistake now, this is clearly an intentional product choice,” he tweeted.

If you’ve never provided a phone to Facebook, you can still use two-factor authentication with an app that provides you security codes, or a physical USB key, which is even more secure against phishing attacks.

Listen to CYBER, Motherboard’s new weekly podcast about hacking and cybersecurity.