X

Facebook's two-factor authentication puts security and privacy at odds

Stop using your phone number for two-factor authentication on Facebook.

Alfred Ng Senior Reporter / CNET News
Alfred Ng was a senior reporter for CNET News. He was raised in Brooklyn and previously worked on the New York Daily News's social media and breaking news teams.
Alfred Ng
4 min read
Mark Zuckerberg on stage at Facebook's F8 conference in 2018, in front of a screen that says "Data Privacy."

You gave Facebook your phone number for security. Facebook's using it in searches and ad targeting.

James Martin / CNET

On Facebook , two-factor authentication with phone numbers has a two-factored problem.

First: The phone number you give to Facebook to help keep your account safe from potential hackers isn't just being used for security. A tweet thread from Jeremy Burge, founder of Emojipedia, on Friday showed that people can find your profile from that same phone number, and you can't opt out of that setting.

This comes almost a year after Facebook said it stopped allowing people to search for profiles by phone numbers, and about five months after Gizmodo found that the phone number being used for 2FA was also being provided to advertisers for targeted posts.

Second: Using your phone number for two-factor authentication, or 2FA, is susceptible to hacks. 

Say hello to this week's edition of "Facebook? Eyeroll..."  What with its string of security and privacy problems in recent months, the massive social network has given people plenty of reason to be skeptical about the features it offers. A personality quiz ends up giving an analytics firm in the UK personal data from you and your friends. A security flaw allows up to 1,500 app developers to see the photos of 6.8 million people. And now, a security feature provides a way for advertisers and strangers to find you with your phone number.

Meanwhile, lawmakers and regulatory agencies continue to question Facebook's privacy practices.

Watch this: Android apps by the thousands collect user data you can't erase

The tying of users' phone numbers with targeted advertising and searches puts security and privacy at odds, potentially driving people away from an important feature that protects accounts from takeovers. 

"If people feel like they can't trust the tools they use when they try to do things that are good for their security, they just stop doing it," said Jessy Irwin, head of security at blockchain company Tendermint. "There should be some things that are treated as sacred, especially when we talk about improving account security."

The practice also drew criticism from Alex Stamos, Facebook's former chief information security officer.

Facebook "can't credibly require 2FA for high-risk accounts without segmenting that from search & ads," Stamos said in a tweet on Saturday.

In a statement, a Facebook spokesperson said that the search function was not new, but would be taking people's concerns into account. 

"We agree that two-factor authentication is an important tool and last year we added the option to set up two-factor authentication for your account without registering a phone number, and this option remains available today," Facebook said. 
The company declined to say whether it planned on keeping 2FA phone numbers and search separated.

Why 2FA matters

Two-factor authentication is a simple security measure, and one of the easiest ways to prevent hackers from hijacking your account. While hackers can use techniques like credential stuffing and spamming every website with the millions of leaked passwords available online, they'd have to take an extra step to log in if you have two-factor authentication enabled.

Passwords are easy to obtain, but a second factor like a PIN code sent to your phone or a security key is harder to steal. Since Google started using security keys internally in 2017, none of its employees have fallen victim to an account takeover.

But even as a useful security tool, two-factor authentication has a low adoption rate. Less than 10 percent of Gmail users have it enabled, while a Duo Security survey from 2017 found that less than a third of Americans were using it. Facebook declined to share how many people use 2FA on the social network.

Facebook using your phone number for 2FA for searches and advertisers likely won't help boost that low adoption rate. Persuading people to use it is hard enough already.

"When we are asking people to do something like set up 2FA, we're asking them to accept a little bit of work and an extra burden to get into their accounts to protect themselves, but also to make the entire platform safer," Irwin said. "All of that work that goes into trying to raise the security bar goes completely out of the window."

The hacking problem

While using phone numbers for 2FA is better than having no security at all, it's not as secure as using an authenticator app or a security key.

In 2016, the National Institute of Standards and Technology stopped recommending SMS for 2FA, pointing out that there were better options.  

Hackers can intercept text messages containing your PIN code when you try logging in, through methods like SIM hijacking. It's how Reddit suffered a data breach in August, because the website's employees were using two-factor authentication with phone numbers. It's why in 2017, Google began shifting its 2FA method to its authenticator app instead.

So if you're worried about your privacy on Facebook and about your security, you should be using an authenticator app for 2FA on the social network instead.

Facebook started allowing authenticator apps in May, which means you don't need to use your phone number for that security feature anymore. You can turn it on by going to your settings, then going to the Security and Login tab, and finding the Two-Factor Authentication section. 

You'll need an app like Google Authenticator or Microsoft Authenticator, but it's far more secure than using your phone number for 2FA.  

Then remember to remove your phone number so you won't have to worry about people finding you on Facebook with it.  

Originally published March 4.
Updated March 5: Added response from Facebook.