Second: Using your phone number for two-factor authentication, or 2FA, is susceptible to hacks. This comes almost a year after Facebook said it stopped allowing people to search for profiles by phone numbers, and about five months after Gizmodo found that the phone number being used for 2FA was also being provided to advertisers for targeted posts. A tweet thread from Jeremy Burge, founder of Emojipedia, on Friday showed that people can find your profile from that same phone number, and you can't opt out of that setting. Wiping 2FA numbers and “shadow” contact data from non-essential use would be a good start.On Facebook, two-factor authentication with phone numbers has a two-factored problem.įirst: The phone number you give to Facebook to help keep your account safe from potential hackers isn't just being used for security. You can’t find such “shadow” contact information in the “contact and basic info” section of your profile users in Europe can’t even get their hands on it despite explicit requirements under the GDPR that a company give users a “ right to know ” what information it has on them.Īs Facebook attempts to salvage its reputation among users in the wake of the Cambridge Analytica scandal, it needs to put its money where its mouth is. This means that, even if you never directly handed a particular phone number over to Facebook, advertisers may nevertheless be able to associate it with your account based on your friends’ phone books.Įven worse, none of this is accessible or transparent to users. if User A, whom we’ll call Anna, shares her contacts with Facebook, including a previously unknown phone number for User B, whom we’ll call Ben, advertisers will be able to target Ben with an ad using that phone number, which I call “shadow contact information,” about a month later. Kash Hill of Gizmodo provides an example : Second, Facebook is also grabbing your contact information from your friends. Until Facebook and other companies do better, users who need privacy and security most-especially those for whom using an authenticator app or hardware key is not feasible-will be forced into a corner. This finding has not only validated users who are suspicious of Facebook's repeated claims that we have “ complete control ” over our own information, but has also seriously damaged users’ trust in a foundational security practice. Other companies- Google notable among them -also still follow that outdated practice.Įven with the welcome move to no longer require phone numbers for 2FA, Facebook still has work to do here.
![facebook authenticator app facebook authenticator app](https://www.windowstechit.com/wp-content/uploads/2021/06/scan-qr-code-third-party-autheticator-app-facebook-1.png)
However, until just four months ago, Facebook required users to enter a phone number to turn on any type of 2FA, even though it offers its authenticator as a more secure alternative. Other types of 2FA-like authenticator apps and hardware tokens-do not require a phone number to work.
FACEBOOK AUTHENTICATOR APP CODE
SMS-based 2FA requires a phone number, so you can receive a text with a “second factor” code when you log in. Instead, this is a problem with how Facebook has handled users’ information and violated their reasonable security and privacy expectations. It’s not even a problem with the inherent weaknesses of SMS-based 2FA in particular. The problem is not with two-factor authentication. )īut the important message for users is: this is not a reason to turn off or avoid 2FA. (This is not the first time Facebook has misused 2FA phone numbers. Two-Factor Authentication Is Not The Problemįirst, when a user gives Facebook their number for security purposes-to set up 2FA, or to receive alerts about new logins to their account-that phone number can become fair game for advertisers within weeks.
![facebook authenticator app facebook authenticator app](https://technicalaide.com/uploads/2020/06/two-factor-authentication-on-facebook-by-authentication-app.png)
They found that Facebook harvests user phone numbers for targeted advertising in two disturbing ways: two-factor authentication (2FA) phone numbers, and “shadow” contact information. Contrary to user expectations and Facebook representatives’ own previous statements, the company has been using contact information that users explicitly provided for security purposes-or that users never provided at all -for targeted advertising.Ī group of academic researchers from Northeastern University and Princeton University, along with Gizmodo reporters, have used real-world tests to demonstrate how Facebook’s latest deceptive practice works. Add “a phone number I never gave Facebook for targeted advertising” to the list of deceptive and invasive ways Facebook makes money off your personal information.