We always recommend that people take advantage of two-factor authentication (2FA) to protect online accounts, but a second problem with Facebook 2FA has now been discovered.
The company last year admitted that it used 2FA phone numbers for ad targeting, and it has now been revealed that it also makes your phone number searchable – and you cannot fully opt out …
For years Facebook claimed the adding a phone number for 2FA was only for security. Now it can be searched and there’s no way to disable that.
He noted that while Facebook now says that your phone number will be used ‘to help secure your account and more’ – with a link to further details – the two words we’ve italicised were added only in September of last year, after the ad-targeting story broke.
The original FB phone number prompt never mentioned “and more”. It was shown for MONTHS before a link was added in September 2018 clarifying “actually we’ll use this wherever we damn well please”
What this means is that if someone else uploads their contacts to Facebook – something the company encourages new users to do as a way of finding friends – you will pop up as a suggested friend if you use your phone number for 2FA.
You can restrict this, locking down your phone number so it’s only searchable by existing Facebook friends, but the default setting is ‘everyone.’
Discussion in the Twitter thread also reveals that the number is additionally shared with Facebook-owned WhatsApp and Instagram.
Here’s the page that allows you to change your phone number lookup settings from Everyone to either Friends or Friends of Friends. Note that email search is also set to Everyone by default, as is allowing search engines to link to your profile. The latter won’t show much if your content is all set to friends-only, but personally I have this switched off as well.
Burge suggests that Apple could offer the option to generate single-company phone numbers, in much the same way as Apple Pay generates one-time codes instead of revealing your real card number.
Apple should offer unlimited additional phone numbers that work as inbound SMS lines only.
Each time a service requires a phone number, iOS could generate a new number. If Apple is serious about user privacy, this is the next frontier. The current one, really.
That’s something that would need to be done in cooperation with carriers, but I think could be a welcome feature. In the meantime, our advice remains to use apps, rather than phone numbers, for 2FA whenever possible.