Top tip: Don't bother with Facebook's two-factor SMS auth – unless you love phone spam

Pick another 2FA method: Social network is having a What The Zuck moment

Forget fake news, Russian trolls and the gradual cruel destruction of journalism – now Facebook is taking heat for spamming a netizen's phone with text messages after he signed up for SMS-based two-factor authentication.

Software engineer Gabriel Lewis said this week that after he activated the security measure with his cellphone number, he began to receive not just one-time login tokens as expected, but texts from Facebook with links to stuff happening on the social network.

How sly. Using a security mechanism to lure you back into the website.

What's worse, Lewis has not installed the Facebook app on his smartphone, and has not opted in to text message alerts. In short, the only thing he told Facebook to do was send his login authentication codes to his mobile via text, and now he's getting everything.

On top of that, Lewis said any replies to the Facebook texts (such as attempts to opt out) were posted directly to his profile page, leaving him looking like he was screaming "NO STOP" like a serial killer victim.

The cockup has some, including cryptography professor Matthew Green, wondering if Facebook had deliberately configured its two-factor SMS authentication backend to double as a messaging system for those who opted not to install the mobile app.

Green went on to note that he too has received the unwanted alerts, which he said have only recently started arriving.

Grzegorz Milka

Who's using 2FA? Sweet FA. Less than 10% of Gmail users enable two-factor authentication


Facebook has emitted a statement on the matter, but remained vague on exactly what caused the issue, and how it could be resolved – other than suggesting not giving the social network your phone number in the first place.

So: it's secure your profile via SMS and be spammed, or don't lock it down from password thieves and get some peace. Nice. Luckily, you can use dedicated security tokens and other methods for two-factor authentication with Facebook to avoid handing over your cell number. Given the spate of SS7 attacks, using something other than SMS for authentication is a good idea, anyway.

"We give people control over their notifications, including those that relate to security features like two-factor authentication," a spokesperson told El Reg on Wednesday evening.

"We're looking into this situation to see if there's more we can do to help people manage their communications. Also, people who sign up for two-factor authentication using a U2F security key and code generator do not need to register a phone number with Facebook."

This is particularly poor timing for Facebook, as the reports of the unwanted texts come as the social network just found itself on the wrong end of Germany's privacy laws.

Facebook broke that Euro nation's rules with its mobile app by pre-ticking a number of opt-in settings including location tracking. Facebook has said it will appeal this month's ruling. ®

Similar topics

Other stories you might like

Biting the hand that feeds IT © 1998–2022