Facebook’s 2FA may be making you less private

Facebook 2FA

As high profile data breaches and leaks continue to hit the headlines, more people are becoming aware of the benefits of two-factor authentication (2FA). This allows you to overcome the weaknesses of relying on just a password by having an authentication code sent to a mobile phone – either as a text or via an app.

Many recent data breaches have been perpetrated using stolen credentials or via ‘credential stuffing’, made possible because people frequently reuse passwords across different accounts and therefore having one password may unlock several sites. 2FA makes it impossible for anyone to access your account with just a password unless they also have access to your mobile device. It, therefore, makes your account much more secure.

However, adoption rates for 2FA are still low. Less than 10 per cent of Gmail users had it enabled in 2018 for example [0] despite the fact that it’s been available on Google accounts for several years now.

2FA and Facebook

Facebook has had the option of letting you add 2FA to your account via text message for some time, but it’s emerged this week that the phone number you give to the social network for authentication purposes using text messages could be getting used for other things, without your consent and with no means to prevent it.

If you’ve given Facebook your number for authentication use, it can also be used to allow other people to find your profile – even though you haven’t explicitly consented to that. What’s more, you can’t prevent this from happening.

News of this first appeared on Twitter [1] but it’s not the only problem. Several months ago [2] it emerged that your 2FA number could also be getting revealed to Facebook advertisers.

Not a new problem

What makes these revelations worse is that Facebook has form in this area. In April 2018, the company said that it had disabled phone number searches in the wake of the Cambridge Analytica scandal. [3]

However, although it’s no longer possible to search for a Facebook user directly using their phone number, the number that you supply for 2FA purposes is still getting used to suggest friend connections. And this isn’t affected by the ‘Who can look me up?’ settings on the site which control who can see details such as your phone number and email address.

This and the fact that phone numbers can be passed to advertisers risks putting people off using 2FA at a time when responsible companies should be encouraging users to adopt it in order to protect their accounts.

It also comes at a time when, in response to GDPR, Facebook is planning to consolidate data from Instagram, WhatsApp and Facebook itself [4] so potentially putting even more of the user’s information at risk.

What can you do?

So what can you do to keep your details safe? You can delete your phone number from Facebook, but that stops you from using 2FA by text. Fortunately, there is an alternative.

Since last year it has been possible to use 2FA on Facebook via an authenticator app rather than using a text message. If you’re worried about what Facebook is doing with your phone number, therefore, you can remove your number from your account and enable 2FA using an app instead. The site will work with all of the popular authentication apps including Google Authenticator and LastPass.

Having come in for criticism, Facebook may well decide to separate 2FA phone numbers from search data, but it has yet to comment on this.

[0] https://www.cnet.com/news/why-more-people-dont-use-simple-two-factor-authentication/
[1] https://twitter.com/jeremyburge/status/1101402001907372032
[2] https://gizmodo.com/facebook-is-giving-advertisers-access-to-your-shadow-co-1828476051
[3] https://www.theguardian.com/news/series/cambridge-analytica-files
[4] https://www.dataprotection.ie/en/news-media/press-releases/data-protection-commission-statement-proposed-integration-facebook