Two-factor authentication helps better protect online accounts from hackers. Facebook offers this security feature, too. But there's a catch.
In recent years, Facebook has woefully neglected the issue of data privacy and has found itself embroiled in a number of data scandals, such as when news broke that data analytics firm Cambridge Analytica was allowed to illegally process the data of 50 million Facebook users. Similarly, Germany's antitrust agency recently prohibited Facebook from harvesting data from Whatsapp and Instagram, two platforms it now also owns. In short, Facebook's reputation is seriously tarnished when it comes to data privacy. And the EU finds itself constantly at loggerheads with the social network over data privacy issues.
Read more: 15 years on, is it time to #DeleteFacebook?
How two-factor authentication works
Now, Facebook's two-factor authentication feature is set to make matters even worse, even though it is actually designed to better protect Facebook accounts from hackers. It works like this: Users first log into their account using a regular password and are then prompted to authenticate their identity a second time via a third-party service. One option for this second step is to have a code sent to their smartphone, which then needs to be entered to access the account.
But this security feature has a serious flaw. When users register their mobile numbers with Facebook, they also opt into this number being using for marketing purposes, as was revealed last year by a US study.
Searchable phone numbers
And it gets worse. Not only are mobile phone numbers automatically also used for marketing purposes, but when users register their number to better secure their accounts, these can then also be used to find users on the platform. This means that if you know a person's mobile phone number, you can easily search for their Facebook profile. Yet this feature cannot be disabled. It can merely be restricted to one's Facebook friends and their contacts.
Concerned data protection commissioner
Hamburg's data protection commissioner, Johannes Caspar, says Facebook is abusing users' desire for greater security by undermining their privacy. He told DW that "users who chose two-factor authentication register their mobile numbers for one reason only. Facebook then high-handedly uses this data for business purposes, without getting users to consent to this." Caspar thinks this practice may violate the EU General Data Protection Regulation.
Facebook, in turn, says none of this is new. US media cited a statement by the company in which it says allowing users to find others with their mobile numbers helps those people network who already know each other but are not yet Facebook buddies. The company recommends that anyone opposed to this practice should simply delete their mobile number from the network.
Fortunately, alternative two-factor authentication features have now been launched that do not require mobile numbers and instead use authentication apps developed by third-party companies. Facebook, however, urges its users to use its proprietary two-factor authentication process via mobile phone.
Read more: Angela Merkel bids farewell to Facebook
Two-factor authentication via text messages unsafe
In general, security experts do recommend using two-factor authentication processes. Indeed, such features are commonly used in online banking today. But user authentication via mobile phones text messages is no longer deemed particularly safe, though it does depend on how companies operate this service. Text messages can show up on smartphones even when devices are on standby for anyone to read. And they are not encrypted, which means they could be monitored by hackers. This is why security experts now recommend scrapping two-factor authentication via text message and instead advocate using authentication apps.
Experts generally advise against giving online platforms mobile numbers, arguing that this poses a serious security risk, not only in terms of two-factor authentication. But in recent times, German internet service provider Telekom has demanded users provide their mobile numbers if they wish to set up email accounts. And similarly, German email services GMX and web.de, as well as Google, persistently urge users to register their numbers to allow them to reset their passwords if needed.
Markus Reuter, who is a reporter for netzpolitik.org, told DW that "mobile numbers are universal identifiers." By this he means that our mobile numbers make us easy to identify, as we tend to use them for years and independently from a range of devices and services. Reuter says they can "de-anonymize" users, which is "why companies like Facebook that depend on data are so eager to get them."
Facebook lacks a chief security officer
Tech entrepreneur Jeremy Burge is one of many on Twitter who have voiced their opposition to registering mobile numbers on Facebook. He takes issue with the fact that greater security comes at the price of giving up a degree of privacy.
Facebook's former chief security officer Alex Stamos, too, has criticized this practice. He says the platform jeopardizes its credibility by using mobile numbers for two-factor authentication, and also to help find Facebook users and send them advertising.
Turkish techno-sociologist Zeynep Tufekci, who teaches in the US, even warns that this system could pose a serious risk to political dissidents wishing to remain anonymous.
So while Facebook faces yet another data scandal, Caspar fears users may be growing apathetic as one shocking revelation follows the next. He worries this may encourage Facebook to just "stick to its business model of breaching data privacy."
Alex Stamos, incidentally, was not the only high-ranking Facebook executive to leave the company in recent times. The firm's communications head, Elliot Schrage, left too. And so did Jan Koum, who sold Whatsapp to Facebook. According to The New York Times, both took issue with the platform's handling of private data. So far, Stamos' former position as chief security officer has not been filled. Facebook, apparently, does not deem data security particularly important.