Hey Facebook: Quit discouraging people from using 2FA

Facebook should not be monetizing users’ two-factor authentication (2FA) phone numbers. The practice will discourage some users from enabling 2FA, a net loss for security that makes it easier for criminals and spies to breach user accounts.

The gargantuan Facebook monster is determined to gobble up every little bit of data about you, including what phone number you register for 2FA — then using that phone number to manipulate you with targeted advertising, according to reporting by Kashmir Hill yesterday at Gizmodo.

Beyond the obvious creepiness factor of building shadow profiles of users, any move that weakens user security must be questioned.

Time has shown that most users are unable to generate and use strong passwords. Worse, password reuse is common. 2FA is the battle-tested solution to mitigating that risk. Anything that discourages users from enrolling in 2FA programs to secure their accounts puts those users at risk.

As CSO reported earlier this year, billions of third-party breach credentials are floating around the clear net, free to download by anyone so motivated. Encouraging users to enroll in 2FA programs is one of the cheapest, easiest ways to secure their accounts — but not if you create perverse incentives for them to decline that invitation.

For many, Facebook is a necessary evil, and a security threat in its own right. Facebook’s business model is founded on leveraging users’ personal, often intimate, information. To show billions of people targeted ads, the company spies on every aspect of our lives so that advertisers can manipulate our buying decisions, even our voting decisions.

The surveillance capitalism Facebook engages in can only work when the company has an extremely detailed picture of every aspect of our lives. If users ever enjoyed privacy from Facebook, the company would go out of business.

As a result, forcing users to choose between yet more Facebook creepiness by sharing their telephone number and the unknown risk of an account breach, a non-trivial percentage of Facebook users might well choose the latter.

It should be noted, to their credit, that four months ago Facebook rolled out support for Google Authenticator and Duo Mobile (both excellent 2FA solutions), and the social media behemoth no longer requires a phone number to enroll in 2FA. However, this does not excuse the company for engaging in this practice for years, nor does it help the preponderance of users still using SMS 2FA, many of whom are unaware of the value of moving away from SMS-based 2FA.

The revelation that Facebook is spying on user 2FA telephone numbers is the nail in the coffin for any hope that Facebook cares about user privacy. It’s lip service, nothing more. Even Facebook’s deployment of an onion service, accessible only over Tor, is less an attempt to preserve user privacy and more of an attempt to grab the data of people who care about privacy.

Facebook needs to stop spying on users’ 2FA phone numbers immediately, but beyond that? Facebook itself is the greatest security threat to user confidentiality that billions of people face each day. The time is coming for a reckoning, when we must decide how to deal with that looming security threat.