Facebook Is Eroding Trust in Two-Factor Authentication
Two-factor authentication, 2FA for short, is billed as the best way to keep your account secure even if a hacker nabs your password. Users are told that they must — must! — enable 2FA if it’s an option, which an increasing number of websites now offer. The most popular, though least secure, 2FA uses SMS, whereby a company texts a short code to your phone number after you enter your password. This means you have to trust the company in question with your phone number in order to gain that extra bit of security. But it turns out that Facebook may not be worthy of that trust.
Last year, TechCrunch revealed that the social network abused phone numbers that users had uploaded to enable 2FA by allowing advertisers to target content against them. And this week, Emojipedia founder Jeremy Burge discovered that Facebook also allows other users to find you by typing in the phone number you uploaded for 2FA purposes. There is apparently no way to turn this feature off. If you want the added security benefit of 2FA using your phone number, you have to allow the social media giant to share that number.
The troubling revelation kicked off a week in which Mark Zuckerberg published a long essay detailing his new vision for “privacy-focused” social networking. The 2FA news indicates that Facebook has some work to do on that front. The company has not responded to multiple requests for comment.
In our testing, OneZero found that entering your phone number in Facebook’s 2FA setup wizard would immediately make it visible to your friends on your profile. On other services, like Twitter, uploading your phone number for 2FA doesn’t add it to your profile or link it to other services. If you want other Twitter users to find you by your phone number, you have to enter it separately.
According to security engineer Dennis Stewart, Facebook’s actions could damage 2FA’s overall reputation, giving users a reason not to use an important security feature, which could then expose them to more hacking. If you want your phone number to be kept private, using SMS for authentication on Facebook isn’t a viable option.
“They’re creating an anti-incentive where people who may not really know a ton about security now view a negative factor attached to two-factor where there really shouldn’t be,” Stewart says. “I’m worried about them poisoning the well.”
For Facebook, there’s no difference between adding your phone number to your account for security purposes and uploading it to share with friends.
Privacy concerns aside, the SMS option isn’t the best way to employ 2FA anyway because cellphone numbers aren’t always secure. Attackers can intercept text messages as they travel over the cell network, someone can convince your carrier to turn over your account, or someone with access to your laptop could find texts via iMessage. Fortunately, companies like Google, Apple, and — yes — even Facebook allow you to use authenticator apps like Google Authenticator or Authy to generate 2FA codes directly on your phone. These are never sent over the cell network and expire every 30 seconds. Unlike SMS, the only way to get these codes is to have your device in hand.
Facebook and Google also support physical 2FA keys like YubiKey. These devices are small USB keys that you plug into your computer or tap to your phone when you want to login to a site. These perfectly fulfill the “something you have” requirement of 2FA since you can only access your account if you possess this specific device. Google requires all 85,000+ of their employees to use them. As a result, no Google employees have been successfully phished (tricked into turning over personal information via fake login pages) since 2017. Incidentally, Facebook has a similar policy for its own employees.
Still, SMS codes remain the most popular option for 2FA for regular users. On some services, like Airbnb, Venmo, or LinkedIn, they’re the only option. Meanwhile, a global survey of Office 365 users by Specops Software found that only 20 percent of organizations bothered using 2FA at all. Of those that did, the majority favored SMS codes. According to Stewart, this isn’t much of a surprise.
“Most people who use two-factor authentication are sort of pressed into it,” Stewart says. “And, I mean, they should be; it’s definitely better. But I think they’re going to use whatever’s easiest.”
With large-scale data breaches on the rise — from Equifax exposing data on 143 million Americans to Yahoo losing data on all 3 billion of its accounts — 2FA will only become more vital to internet security. The technology is so powerful that it could eventually make passwords obsolete, which is great because we’re bad at making secure ones. As Stewart says, “Microsoft is offering passwordless accounts now where you don’t have the password; you just have the two-factor going into it.”
That future will be harder to achieve if Facebook’s actions cause users to distrust 2FA across the board. It may be possible to quit Facebook, but it’s a lot harder to quit the entire internet. It’s where you manage your finances, play your games, and communicate with relatives, friends, and coworkers. SMS-based 2FA may not be ideal, but it’s much better than nothing.
At a time when passwords are less secure than ever — and when Facebook is trying to prove that protecting your information is a priority — squandering trust in two-factor authentication is something the internet can’t afford.