On Facebook, two-factor authentication with phone numbers has a two-factored problem.
First: The phone number you give to Facebook to help keep your account safe from potential hackers isn't just being used for security. A tweet thread from Jeremy Burge, founder of Emojipedia, on Friday showed that people can find your profile from that same phone number, and you can't opt out of that setting.
Say hello to this week's edition of "Facebook? Eyeroll..." What with its string of security and privacy problems in recent months, the massive social network has given people plenty of reason to be skeptical about the features it offers. A personality quiz ends up giving an analytics firm in the UK personal data from you and your friends. A security flaw allows up to 1,500 app developers to see the photos of 6.8 million people. And now, a security feature provides a way for advertisers and strangers to find you with your phone number.
Meanwhile, lawmakers and regulatory agencies continue to question Facebook's privacy practices.
Watch this: Android apps by the thousands collect user data you can't erase
The tying of users' phone numbers with targeted advertising and searches puts security and privacy at odds, potentially driving people away from an important feature that protects accounts from takeovers.
"If people feel like they can't trust the tools they use when they try to do things that are good for their security, they just stop doing it," said Jessy Irwin, head of security at blockchain company Tendermint. "There should be some things that are treated as sacred, especially when we talk about improving account security."
The practice also drew criticism from Alex Stamos, Facebook's former chief information security officer.
Facebook "can't credibly require 2FA for high-risk accounts without segmenting that from search & ads," Stamos said in a tweet on Saturday.
In a statement, a Facebook spokesperson said that the search function was not new, but would be taking people's concerns into account.
"We agree that two-factor authentication is an important tool and last year we added the option to set up two-factor authentication for your account without registering a phone number, and this option remains available today," Facebook said. The company declined to say whether it planned on keeping 2FA phone numbers and search separated.
Passwords are easy to obtain, but a second factor like a PIN code sent to your phone or a security key is harder to steal. Since Google started using security keys internally in 2017, none of its employees have fallen victim to an account takeover.
But even as a useful security tool, two-factor authentication has a low adoption rate. Less than 10 percent of Gmail users have it enabled, while a Duo Security survey from 2017 found that less than a third of Americans were using it. Facebook declined to share how many people use 2FA on the social network.
Facebook using your phone number for 2FA for searches and advertisers likely won't help boost that low adoption rate. Persuading people to use it is hard enough already.
"When we are asking people to do something like set up 2FA, we're asking them to accept a little bit of work and an extra burden to get into their accounts to protect themselves, but also to make the entire platform safer," Irwin said. "All of that work that goes into trying to raise the security bar goes completely out of the window."
The hacking problem
While using phone numbers for 2FA is better than having no security at all, it's not as secure as using an authenticator app or a security key.
So if you're worried about your privacy on Facebook and about your security, you should be using an authenticator app for 2FA on the social network instead.
Facebook started allowing authenticator apps in May, which means you don't need to use your phone number for that security feature anymore. You can turn it on by going to your settings, then going to the Security and Login tab, and finding the Two-Factor Authentication section.
You'll need an app like Google Authenticator or Microsoft Authenticator, but it's far more secure than using your phone number for 2FA.
Then remember to remove your phone number so you won't have to worry about people finding you on Facebook with it.
Originally published March 4. Updated March 5: Added response from Facebook.