Facebook's 2FA accused of violating user privacy

The Facebook logo displayed on a screen in white text on a blue background

A viral tweet has sparked further condemnation of Facebook after one user reported an inability to publicly unlist his phone number that the social network indexed following two-factor authentication (2FA) security implementation.

The website encourages its users to set up 2FA account protection which requires a phone number. This isn't necessarily a bad thing, many sites that hold sensitive account information prompt users to adopt 2FA.

The real kicker here is that Facebook takes the phone number you use to activate 2FA protection, ties it to your account and then the number can be used to find your profile in the 'Look Up' feature of the site.

People are speaking out against the company because users cannot opt-out of having the number used to index the profile. The only workaround to the issue is to change the account privacy settings to ones that only permit friends to find you through the site's search function.

Jeremy Burge, the Twitter user that exposed the issue, took to the site to express his disdain for the practice saying that "using a phone number to sign up for services has been the single greatest coup for the social media and advertising industries".

It's "one unique ID that is used to link your identity across every platform on the internet", he added.

Users can hide their phone number if it's linked to their account so other users and friends cannot see it. But it's still possible to discover user profiles in other ways, such as "when someone uploads your contact info to Facebook from their mobile phone," according to a Facebook help article.

The report comes amid more serious privacy concerns for Facebook, but this won't be overlooked, considering that something very similar was reported last year by Gizmodo.

Numbers associated with a Facebook account were used for targeted ads within weeks of adding them to the site, the investigation showed.

"In April 2018, we removed the ability to enter another person's phone number or email address into the Facebook search bar to help find someone's profile," said a Facebook spokesperson. "Today, the 'Who can look me up?' settings control how your phone number or email address can be used to look you up in other ways, such as when someone uploads your contact info to Facebook from their mobile phone. We appreciate the feedback we've received about these settings and will take it into account."

Amid the outcry from industry leaders, people are now urging others to pursue different methods of account security.

Google's Authenticator App is one third-party offering that could be used to mitigate such issues. Facebook doesn't require a phone number to enable 2FA, although it's common practice for phone numbers to be used.

It's an attractive concept: account security traded for a phone number - there's no need to sign up for an outside service and it's something that you likely have memorised so you don't even have to get up from your chair.

But, the thing is: 2FA and enhanced account security are taken seriously, even by those who can't be bothered to sign up for an outside 2FA service. Some think that using a trusted security measure to violate the privacy expectations of users is a step too far.

Zeynep Tufecki, security expert and academic likened the findings to the controversial anti-vaccination movement.

Facebook is now facing as many as 10 GDPR probes, according to reports last week. A leaked internal memo has also surfaced recently which showed that the company lobbied against a proposed data directive in 2012 and 2013 which later became the GDPR.

Connor Jones

Connor Jones has been at the forefront of global cyber security news coverage for the past few years, breaking developments on major stories such as LockBit’s ransomware attack on Royal Mail International, and many others. He has also made sporadic appearances on the ITPro Podcast discussing topics from home desk setups all the way to hacking systems using prosthetic limbs. He has a master’s degree in Magazine Journalism from the University of Sheffield, and has previously written for the likes of Red Bull Esports and UNILAD tech during his career that started in 2015.