This article was published on March 4, 2019

PSA: Don’t give out your phone number for Facebook 2FA, use an app instead


PSA: Don’t give out your phone number for Facebook 2FA, use an app instead Image by: Oscar Delgado / Dribbble

It’s no secret that Facebook doesn’t respect your privacy in the least: we learned last October that the company  used the phone number you provided for two-factor authentication to enable advertisers to target you. Last week, Emojipedia’s Jeremy Burge highlighted in a tweet that if the social network has your number, it allows everyone on its platform to look you up with it by default – and you can’t turn that off.

That’s just all kinds of shitty, as security researcher and New York Times columnist Zeynep Tufekci pointed out:

In its statements to TechCrunch about the features, Facebook noted that the features aren’t new, and that your number can be looked up by everyone by default because that “makes it easier to find people you know but aren’t yet friends with.” The company comes across as obtuse about the potential dangers and the invasiveness of allowing anyone to confirm your identity with your phone number on the platform, without informing you that this is enabled by default. Oh, and you can’t turn it off – the best you can do is restrict number look-up to only your friends on Facebook.

You can actually avoid giving your number to Facebook without ditching the additional security that 2FA affords you. Let me walk you through it.

First off, you’ll want to check if Facebook’s got your number. To do this, log into Facebook and visit this link, or head to your settings, and then click on ‘Mobile’ in the left sidebar. You’ll be able to see a list of all the phone numbers associated with your profile. Click ‘Remove’ below each number to de-list them.

Don't give Facebook your phone number, just don't
Don’t give Facebook your phone number, just don’t

It’s worth noting that Facebook will display a warning about not being able to use this phone to receive notifications or upload photos and videos if you proceed with this step. I imagine this refers only to receiving notifications via SMS, and uploading content using MMS; I tried uploading a video via the Android app on my phone after removing my number, and it worked just fine.

After removing my number, I had a colleague search the social network with it to confirm that my profile wouldn’t surface, and that worked fine. So, now that we’ve got this bit out of the way, it’s time to set up two-factor authentication without a phone number.

The easiest way is to use an authentication app that doesn’t rely on your phone number, like Google Authenticator, Microsoft Authenticator, or Authy. Once you’ve set them up, any of these free apps will display a six-digit code (for a brief period, before it changes) that acts as a second password for your account. It’s better than SMS-based authentication, because it can’t be hijacked by an attacker engaging in SIM swapping or some method of intercepting your texts.

Here's Authy in action, displaying a 2FA code for logging into Facebook
Credit: Authy
Here’s Authy in action, displaying a 2FA code for logging into Facebook

Of the lot, I prefer Authy, because it lets you sync your 2FA codes across your devices, and that’s essential for me because I switch phones often for hardware reviews. The other two work well, but don’t allow you to sync codes.

  • In Facebook’s Settings, head to Security and login or click here.
    Click on Two-factor authentication, and under Authentication app, click ‘Add a new app.’

    Enable two-factor authentication in Facebook, and use an app instead of SMS
    Enable two-factor authentication in Facebook, and use an app instead of SMS

  • You’ll then see a QR code on your desktop; fire up your 2FA app, tap on the option to add a new tap there, and then choose to scan a QR code. Point your phone’s camera at your desktop screen to scan the code, and your Facebook account will be set up with your 2FA app.
    Credit: Authy
  • Next, you’ll need to enter the code that pops up on your phone into Facebook’s desktop site to complete setup. When you’ve done that, click ‘Confirm’ on the site, and you’ll be good to go.

With that, you’ll have sorted out 2FA security for your account, without having to give up your phone number. Now, if only we could all just delete our accounts on the social network already…

Get the TNW newsletter

Get the most important tech news in your inbox each week.

Also tagged with