If You Use SMS 2FA on Facebook, Your Phone Number is Searchable

Look, we love 2FA (two-factor authentication) and want everyone to use it. But SMS-based 2FA isn’t the best choice, and now it’s even worse on Facebook because once enabled, it allows people to find you using your phone number.

Back in the day, anyone could jump on Facebook and do a phone number search to find who specific people. If you had your phone number on your Facebook account, then you’d pop up with that search. But back in April of last year, this feature was removed in an effort to keep private data private (though apparently searching phone numbers still works in Messenger).

But now it’s been discovered that if you use your phone number for SMS-based 2FA Facebook is using this to help people find you. While the phone number search function is still disabled, if you’re in someone’s contacts on their phone and upload that list, you’ll show up as a potential connection. Gross.

Honestly, that’s such a load of crap. If the only reason you’re giving Facebook your phone number is to increase the security of your account and it’s in turn used to leverage more contact information, then that’s a big issue—one that wouldn’t exist if Facebook wasn’t so damn shady with your data. It’s pretty disgusting.

To add insult to injury, there’s no way to opt-out of this, either. You can help limit it by heading into Facebook Settings > Privacy and setting the “who can look you up using the phone number you provided” option to “Friends,” which is the most private option available. It’s a band-aid at best.

Facebook Settings

Otherwise, you’re left with a few choices: you could deactivate your Facebook account, which a lot of people simply aren’t willing to do; you could stop using 2FA, which we don’t recommend at all; or you could use another form of 2FA. If you don’t want to disable your account, then the latter option is by far the best. Keep in mind, however, that the damage has probably been done—your phone number is stored. This may not change a thing. Still, moving to a better security method that doesn’t involve your phone number is never a bad idea.

There are plenty of authenticator apps out there, but we’re big fans of Authy. It uses the same familiar code-based system that you’re used to using with SMS-based authentication, but instead of getting a text message with your code, you just fire up the Authy app and pull the code from there. We have an excellent guide to help you get started with Authy if this is your first time using it.

Related: How to Set Up Authy for Two-Factor Authentication (and Sync Your Codes Between Devices)

To get your Facebook account set up with Authy, jump into FB’s settings, then Security and Login. (On mobile you can find this under Settings & Privacy > Settings.)

Facebook Settings

From there, scroll down to the Two-Factor Authentication section and click the Edit button in the “Use two-factor authentication” section.

Facebook two-factor authentication

From there you can set up an authentication app (or even better, use a security key).

Facebook two-factor authentication

And that’s it. Your account is even more secure than before, and Facebook isn’t going to use your phone number for anything you don’t want.

via TechCrunch

Leave a Reply

Your email address will not be published. Required fields are marked *