Facebook Is Allowing Anyone to Look You Up Using Your Two-Factor Authentication Phone Number

Michael Grothaus, writing for Fast Company:

On the surface, Facebook prompting people to enable 2FA was a good thing — if you have 2FA enabled it’s much harder for someone who isn’t you to log in to your account. But this being Facebook, they’re not just going to do something that is only good for the user, are they?

Last year it came to light that Facebook was using the phone numbers people submitted to the company solely so they could protect their accounts with 2FA for targeted advertising. And now, as security researcher and New York Times columnist Zeynep Tufekci pointed out, Facebook is allowing anyone to look up a user by their phone number, the same phone number that was supposed to be for security purposes only.

This is surely the least surprising thing you’ll read all day, but in addition to being an abuse of users’ privacy, it’s pernicious in terms of security practices. The lesson some people are going to take from this is that enabling two-factor authentication is for suckers.

Update: A friend messaged me: “My takeaway from the Mat Honan debacle was that 2FA that involves SMS or a phone number is absolutely for suckers and/or chumps. (The 2FA implementation in 1Password, using the same TOTP protocol as Google Authenticator or Authy, is glorious.)”

That’s a good point, and I agree. I spent an afternoon last year decoupling my phone as second factor from every account I could. But it’s depressing how many services — like my bank — only support SMS as a second factor.

Monday, 4 March 2019