Facebook Allows Two-Factor Authentication Phone Number Search
Another Facebook privacy worry as it emerges that platform links authentication phone number with user profile
Facebook is once again in the spotlight for all the wrong reasons, after it emerged that it exposes user’s phone numbers that have been used to secure their accounts.
The issue in question concerns two-factor authentication. This typically involves sending a text message with a code to a user’s mobile or landline phone, to provide an extra layer of authentication.
But it seems that Facebook actually links this phone number to the user account, and there is no way to stop anyone obtaining this phone number when they “look up” someone’s Facebook profile.
Searchable number
The issue was highlighted in a report by Techcrunch, which pointed to Twitter user Jeremy Burge, who had pointed out there was no way to disable the searching of these phone numbers.
“For years Facebook claimed the adding a phone number for 2FA was only for security,” Burge tweeted. “Now it can be searched and there’s no way to disable that.”
Indeed, there seems to be no way to opt-out of this, as although Facebook does give a person the ability to hide their phone number on their Facebook profile so nobody can see it, the number can still be harvested.
This is because the number is linked to a user account, so when for example a user decides to “look up” someone else’s profile, they can obtain the phone number.
There is no way to stop this, but users can stop “everyone” looking up their phone number, and can instead limit it to your immediate friend circle.
Indeed, concerned readers are advised to switch their “look up” settings to “friends only” to try and maintain as much privacy as possible.
And to make matters even worse, Burge also pointed out that this data is also shared with WhatsApp and Instagram.
Facebook spokesperson Jay Nancarrow told TechCrunch that the settings “are not new,” adding that, “the setting applies to any phone numbers you added to your profile and isn’t specific to any feature.”
Other media reports last year have highlighted when a user gives Facebook a phone number for two-factor, that number is harvested by advertisers.
It should be remembered that Facebook users do not need to use a phone number to engage two-factor authentication. They can use third-party systems, such as Google Authenticator and Duo Security for example.
Expert take
So what do security experts make of this development?
Well at least one expert thinks it is safer to use a third-party authenticator app instead of your phone number.
“At a time when tighter regulations around data privacy are in the spotlight, allowing anyone to search and connect a phone number to a Facebook account might seem a little out of date,” explained Jake Moore, cyber security specialist at ESET.
“Although two-factor authentication is a necessity for individuals in order to help protect their accounts from being hacked, allowing phone numbers to be searched on one of the world’s largest social databases may not be the best idea,” he added.
“Rather than using your phone number for two-factor authentication, it is safer to use an authenticator app which doesn’t send the one time code via SMS, so it protects you and your account even further,” said Moore.
Do you know all about security? Try our quiz!