The Mess Created By Facebook’s Two-Factor Authentication Guest Blog Post For Nicely Done Sites

Remember when social networking was a fun but albeit a bit strange mix of glittery wallpapers on your Myspace page and the battle of picking the right emo song that perfectly expresses your teenage angst? Pepperidge Farm remembers (this one’s for you Family Guy fans).

Another Mess For Facebook

The landscape of social networking has changed and it seems like Facebook is always in the middle of some scandal. You may recall the Cambridge Analytica scandal, the fact that Mark Zuckerberg had a special tool that allowed him to delete his messages, the painful Senate hearings, the security issue that exposed the personal information of 30 to 50 million people or the infamous Russian election interference that took (and still takes) place on Facebook. Security experts are still scratching their heads at how Facebook could store millions of passwords in plain text that are accessible to their staff.

Here’s a new scandal that will leave you flabbergasted – Facebook’s two-factor authentication mess. 

Two-Factor Authentication

What is two-factor authentication? It’s an added security measure to ensure that, even if someone knows your password, they are not able to get into your account. Two-factor authentication usually consists of having your password and the phone tied to your account. The website sends you a code via your phone and you input that code into the website to gain access to your account, in addition to inputting your password.

This means that someone who wants to access your account would have to know your password and also have access to your phone, thereby making it more difficult to hack your account. Two-factor authentication is a method that is commonly used now that breaches have allowed malicious actors to know passwords. Just to make it clear, two-factor authentication is a security feature, not a “here’s my phone number sell it to advertisers feature.” 

Facebook Took This To The Next Level

And now for the “fun” part – turns out that when you provide Facebook with your phone number to turn on the security feature, Facebook will actually allow advertisers to target you by using that phone number. This behavior is completely unacceptable for a couple of reasons: 

  1. It is already difficult to get users to adopt two-factor authentication for their own security. Letting advertisers have access to that information will make it even more difficult for users to adopt security features in the future. 
  2. It is an abuse of trust. Users gave their phone numbers to protect themselves. Taking advantage of that trust is just plain old wrong. 
  3. Users cannot delete their phone number from Facebook. You can only choose who you share that phone number with (see screenshot below). While a user could choose to share that phone number with no one, considering the myriad of abuses from Facebook, it is doubtful that only you will be able to see your number.

Is there any hope for a future where Facebook will respect your privacy? Despite all of the promises and requests for increased regulation from Mark Zuckerberg, it is doubtful that the company will start respecting your privacy without real laws requiring it to do so. It’s been encouraging to see seventeen states propose new privacy laws that would curb such behavior. Hopefully some of these laws are passed to protect consumer privacy in this crazy digital age. 

 

 

__________________________________________________________________________________________________________________________

 

This article was written by Donata Kalnenaite, a privacy attorney licensed in Illinois and a Certified Information Privacy Professional. Donata is also the President of Termageddon – a Privacy Policy generator that updates their policies whenever the laws change. She often volunteers at the Illinois State Bar Association holding courses on the General Data Protection Regulation where she teaches other attorneys on the importance of privacy and what Privacy Policies should contain. Nothing in this blog post should be construed as legal advice. 

Comments are closed.

Scroll to Top