It’s hard enough to get people to use two-factor authentication (2FA) without a problem like Gizmodo reports of Facebook sending unwanted texts to users’ phones:
“I’ve been getting these text-spam messages since last summer, when I set up a new Facebook account and turned on two-factor authentication…
At first, I only got one or two texts from Facebook per month. But as my profile stagnated, I got more and more messages. In January, Facebook texted me six times—mostly with updates about what my ex was posting. This month, I’ve already gotten four texts from Facebook. One is about a post from a former intern; I don’t recognize the name of one of the other “friends” Facebook messaged me about.”
If you’re similarly stalked by spammy Facebook text messages, there’s fortunately a way to opt out. Go to Settings, choose Notifications, and ensure that notifications via text are disabled.
Facebook security chief Alex Stamos has said that the unwanted text messages were not sent intentionally – but were the result of a bug:
“It was not our intention to send non-security-related SMS notifications to these phone numbers, and I am sorry for any inconvenience these messages might have caused. We are working to ensure that people who sign up for two-factor authentication won’t receive non-security-related notifications from us unless they specifically choose to receive them, and the same will be true for those who signed up in the past. We expect to have the fixes in place in the coming days. To reiterate, this was not an intentional decision; this was a bug.”
But don’t forget that there are strong arguments for choosing a form of authentication that doesn’t involve you giving your mobile number to Facebook in the first place. After all, that’s data that Facebook will use to try to match you up with potential Facebook friends who shared their contact lists with the social network.
Using a U2F security key or code generator for Facebook two factor-authentication is probably a better way to go.
It’s good that Facebook is fixing the issue, but what a shame that this latest faux pas will have damaged the reputation of two-factor authentication when it is so clearly needed.
Read more about two-step verification:
- Two-factor authentication (2FA) versus two-step verification (2SV)
- How to better protect your Facebook account from hackers
- How to better protect your Twitter account from hackers
- How to enable two-step verification (2SV) on your WhatsApp Account
- How to protect your Amazon account with two-step verification (2SV)
- How to better protect your Google account with two-step Verification (2SV)
- How to protect your Dropbox account with two-step verification (2SV)
- How to protect your Office 365 users with multi-factor authentication
- How to protect your Microsoft account with two-step verification (2SV)
- How to better protect your Tumblr account from hackers with 2SV
- How to protect your LinkedIn account from hackers with two-step verification (2SV)
- How to protect your PayPal account with two-step verification (2SV)
- How to protect your Yahoo account with two-step verification (2SV)
- How to protect your Apple ID account against hackers
- How to better protect your Google account with two-step verification and Google Authenticator
- How to protect your Hootsuite account from hackers
- How to better protect your Instagram account with two-step verification (2SV)
- Instagram finally supports third-party 2FA apps for greater account security
- How to protect your Nintendo account from hackers with two-step verification (2SV)
- How to better protect your Roblox account from hackers with two-step verification (2SV)
If you’re thinking of leaving Facebook, why not listen to this “Smashing Security” podcast we recorded:
Smashing Security #75: 'Quitting Facebook'
Listen on Apple Podcasts | Spotify | Pocket Casts | Other... | RSS
More episodes...
If Facebook followed the recommendations of NIST for two factor they wouldn't use SMS in the first place.
People may not just ignore enabling the 2FA for they don't want spam-SMS, they may also know it's insecure to use SMS as the transport medium for the authentication code.
Made by facebook?
What could go wrong?
The websites in the linked articles above all use 2SV, which as far as I can tell always involves supplying the company in question with your mobile number. Like logins that consist of your email address, these companies can't resist the temptation to "engage" with customers. And that's not even considering the security implications. Only Amazon uses an authenticator app.
It's perfectly possible to implement 2SV without requiring a user's mobile phone number. I've signed up for plenty of services online that only require an authenticator app.
Of course it would be great if less sites insisted on requesting mobile numbers.