There are new concerns that a Facebook feature meant solely to authenticate your identity on the social media platform could allow people to find you through your phone number.
On Friday, Jeremy Burge, who runs the website Emojipedia, posted a tweet claiming numbers added to use two-factor authentication – a secure login process requiring two steps before accessing an account – were now searchable.
“For years Facebook claimed … adding a phone number for 2FA was only for security. Now it can be searched and there’s no way to disable that,” Burge wrote.
Burge said Facebook sets its default for phone number search to everyone, and there’s no way to fully opt out.
When a user signs up for two-factor authentication, they provide additional information to confirm their identity, such as a phone number or email address. In the case of Facebook, they can use a phone number to text a security code users must type after they log in to confirm their identity. Typically, phone numbers provided for this don’t appear on user profiles.
Security expert Zeynep Tufekci blasted Facebook for the move, claiming it could put people at risk. “Using security to further weaken privacy is a lousy move – especially since phone numbers can be hijacked to weaken security,” she wrote on Twitter.
In a statement, Facebook said the settings for its “who can look me up” option is not new and “not specific” to two-factor authentication.
“In April 2018, we removed the ability to enter another person’s phone number or email address into the Facebook search bar to help find someone’s profile,” Facebook said. “Today, the ‘Who can look me up?’ settings control how your phone number or email address can be used to look you up in other ways, such as when someone uploads your contact info to Facebook from their mobile phone.”
Last year, Facebook removed the option to use your phone number when signing up for two-factor authentication.
This is not the first time Facebook has gotten into trouble for how it handles phone numbers used solely for two-factor authentication. Last fall, according to TechCrunch, Facebook admitted it used phone numbers users offered for security to target them with ads.