Online privacy can be a âtwo steps forward, one step backâ situation.
Â came under fire over the weekend after a user discovered that users of the social-media site cannot opt out of allowing others to âlook upâ othersâ accounts using the phone number they supplied for two-factor authentication.
Two-factor authentication is a method used to secure online accounts that requires users to verify their claimed identity in some way beyond a password. This can include having a number texted to a mobile device or logging into a separate authentication app.
In an age of near-daily security breaches, two-factor authentication is seen as a way to help users maintain some control over their online security â itâs a step thatâs often recommended by security experts.
Jeremy Burge, founder of Emojipedia and vice-chair of the Unicode Emoji Subcommittee, flagged the privacy concern on Twitter
Facebookâs account settings allow users to choose who can look them up using a phone number theyâve given Facebook, including phone numbers supplied solely for the purpose of two-factor authentication.
For years Facebook claimed the adding a phone number for 2FA was only for security. Now it can be searched and there’s no way to disable that. pic.twitter.com/zpYhuwADMS
— Jeremy Burge ð¥ð§¿ (@jeremyburge) March 1, 2019
But there is no option to make the phone number completely private. Users can only choose to make the number searchable to âeveryone,â âfriends of friendsâ and âfriends.â As Burge noted, the security setting defaults to everyone, meaning that anyone could theoretically use the phone number to search for and confirm whether a Facebook profile is yours.
Burge also argued that Facebook was turning peopleâs phone numbers into trackable pieces of data that they can use to keep tabs on you across all of their related companies, since other Facebook-owned entities such as Instagram and WhatsApp either require phone numbers or pull in that data from usersâ accounts on other platforms. This makes it easier for Facebook to retain data on a user if they delete an account on one Facebook-owned platform, but retain a presence on others.
Burge also argued that Facebook was turning peopleâs phone numbers into trackable pieces of data that they can use to keep tabs on you across all of their related companies.
Facebook did not immediately respond to a request for comment from MarketWatch.
Last year, the company said it was removing the ability to find someoneâs profile by using another personâs phone number or email address in the Facebook search function, USA Today reported. Facebook told USA Today that the privacy settings Burge identified were neither new nor specific to two-factor authentication, though the company did not explain why they were still being used.
While phone numbers may not be used in the Facebook search tool, there are other ways of looking up people using their phone numbers. For instance, Facebook has a feature that allow people to look up others profiles based on the contact information in their mobile phone.
This is just the most recent privacy and security hurdle Facebook has faced. Last fall, the social media company revealed that a vulnerability that allowed attackers to steal Facebook access tokens for some 50 million user accounts, which they could use to take over those accounts. And Facebook was roundly lambasted for allowing user data to be accessed by third parties as a way to influence the 2016 U.S. presidential election.
Facebook CEO Mark Zuckerberg vowed to improve the access it gives to third-party apps.
Other people on Twitter quickly pounced on Facebook following Burgeâs tweets, criticizing the company for not doing enough to protect usersâ security and privacy. One person described Facebookâs efforts to play around with data it gleaned through two-factor authentication as âthe anti-vaccination misinformation of security.â
Some resurfaced revelations from last year, first reported by TechCrunch, that Facebook was using phone numbers supplied for two-factor authentication to hone its advertising targeting.
How to secure your Facebook and other accounts
The Facebook privacy revelation isnât the first-time the security of two-factor authentication has been questioned as a viable security tool. The social-media site Reddit was hacked last year after codes used for two-factor authentication were intercepted by hackers who spoofed the phone numbers of company employees. All user data from 2007 and earlier was exposed in the incident.
The good news for consumers wary of handing over their phone number to Facebook: Since last May the company has not required a phone number to sign up for two-factor authentication. Instead, users can choose to download an authentication app such as Google Authenticator
Â to secure their account.
And social media isnât the only online arena where consumers should employ two-factor authentication. The website Two Factor Auth lets users search to see all sites that offer the feature.
Despite the importance of two-factor authentication as part of securing oneâs online accounts, fewer than half of American have even heard of the process, and even fewer use it, according to the results of a recent survey from security firm Duo Security.
Two-factor authentication should be just one piece of a consumerâs approach to securing their online accounts though. Security experts also recommend using a password manager such as Dashlane or Lastpass to further secure their accounts, among other steps.
(Kari Paul contributed to this story.)
Get a daily roundup of the top reads in personal finance delivered to your inbox. Subscribe to MarketWatch’s free Personal Finance Daily newsletter. Sign up here.