As companies increasingly try to persuade their customers to use two-factor authentication for added security when they log into their accounts, some people are anxious about providing their phone number in case it is misused or divulged to the wrong people. Facebook, when it launched its 2FA security assured its users that their phone numbers would only be used to secure their logins. Now, though, updates suggest there is no way to stop your number from being searchable by other users.
To be fair to the humble password, it is probably going to be some time before it is pushed off its pedestal as the standard means of online authentication and it seems unlikely that it will ever disappear completely. Yet, at the same time, it is becoming increasingly evident that, in some situations, it simply isn’t enough to rely on static-password-based authentication, not even if you force users to create strong passwords and change them regularly. RSA tokens (either as hardware or software) are now becoming commonplace in businesses, but in most business-to-consumer scenarios they are simply too expensive and resource-demanding to be a feasible solution (the main exception being online banking where card-readers are now often issued as standard).
Similar comments apply to replacing physical RSA tokens with mobile apps, you may reduce the cost somewhat, but the overheads are still high, plus this approach requires users to have a smartphone which, even in this day and age, is not completely guaranteed.
Authentication via SMS, however, is both (relatively) affordable and simple to implement and highly secure, plus it is generally easy for users to understand, so it lowers resistance and the number of support tickets. It is therefore little wonder that so many companies have enthusiastically adopted SMS authorisation with the result that users have become very familiar with it and are probably giving the matter less and less thought each time they are suggested, or required, to provide their mobile number to enhance the security of their account.
The problem in this instance is that Facebook (once again) blatantly ignored the principle of informed consent and assumed that users who provided their mobile phone number for security purposes would be happy to have it made searchable to allow people to find them.
This is, in and of itself, flagrantly against the principles of data protection in general (and GDPR in particular) and, to make matters worse, Facebook also shared the data with Instagram and WhatsApp, which, although owned by Facebook and capable of integrating with Facebook, were started as independent apps and do not (yet) require that their users have a Facebook account in order to use them.
Facebook has responded to the barrage of criticism by advising that it is now possible to use TFA without registering a phone number (basically meaning users would need to enter their phone number every time they wished to receive a code) and that it is no longer possible to enter a mobile number or email into the search bar to help to find a profile. While these changes are welcome, this latest story is highly unlikely to do much to help Facebook put the gloss back on its tarnished public image, where it is frequently known as the company that tests its users patience with regard to security and personal data on an ongoing basis.