Tech News

Facebook's two-factor authentication system auto-posts replies on your profile

Facebook’s two-factor authentication (2FA) system has come under fire today for some bizarre design elements that seem to have gone largely unnoticed for quite some time. Bay Area software engineer Gabriel Lewis noticed earlier this week that Facebook was using the same phone number he used for 2FA, which offers a more secure way to log into an online account by asking for secondary confirmation of the user’s identity, to notify him about friends’ posts.

Even worse, it seems that replying to this message with any message, such as “Please stop,” auto-posts that message to your Facebook profile. (It doesn’t cause the messages to stop, either.) The Verge confirmed that this behavior occurs with any reply to a Facebook 2FA text message, and other users have popped up on Twitter to say both Facebook and Instagram have spammed them with notifications to their 2FA phone number. In Lewis’ case, he says he never opted in to notifications via text messaging in the first place.

Lewis’ case gained steam today when prominent technology critic and sociologist Zeynep Tufekci tweeted about it in a series of harsh criticisms of Facebook and its behavior regarding alleged “juicing” of its user engagement metrics:

There’s a legal layer to this situation, as well. Facebook is currently embroiled in a number of class-action lawsuits over alleged violations of the Telephone Consumer Protection Act, or TCPA, which states that no company may contact you via text without being given express permission first. In those past cases, Facebook was spamming users with birthday reminder text messages and other automated spam, even when users opted out of text message notifications or had never given Facebook their phone number.

It is unclear whether this more recent behavior is a bug, though the auto-posting feature certainly looks like one. If the company is indeed intentionally using 2FA phone numbers to lure users back to Facebook without getting those users’ express user consent, it could open the company up to lawsuits.

In a statement, a Facebook representative did not address whether the auto-posting of replies was intentional or a bug. (The Verge is seeking clarification on this matter.) The company also says that it’s looking into the text notification issue, and that it’s 2FA system can be used with a code generator if any user does not wish to provide a phone number. “We give people control over their notifications, including those that relate to security features like two-factor authentication. We’re looking into this situation to see if there’s more we can do to help people manage their communications,” the statement reads. “Also, people who sign up for two-factor authentication using a U2F security key and code generator do not need to register a phone number with Facebook.”

Update at 7:35PM ET, 2/14: Added statement from Facebook.

Let’s block ads! (Why?)

Source link

Leave a Reply

Your email address will not be published. Required fields are marked *