×

PSA: Don’t give out your phone number for Facebook 2FA, use an app instead

It’s no secret that Facebook doesn’t respect your privacy in the least: we learned last October that the company  used the phone number you provided for two-factor authentication to enable advertisers to target you. Last week, Emojipedia’s Jeremy Burge highlighted in a tweet that if the social network has your number, it allows everyone on its platform to look you up with it by default – and you can’t turn that off.

That’s just all kinds of shitty, as security researcher and New York Times columnist Zeynep Tufekci pointed out:

In its statements to TechCrunch about the features, Facebook noted that the features aren’t new, and that your number can be looked up by everyone by default because that “makes it easier to find people you know but aren’t yet friends with.” The company comes across as obtuse about the potential dangers and the invasiveness of allowing anyone to confirm your identity with your phone number on the platform, without informing you that this is enabled by default. Oh, and you can’t turn it off – the best you can do is restrict number look-up to only your friends on Facebook.

You can actually avoid giving your number to Facebook without ditching the additional security that 2FA affords you. Let me walk you through it.

First off, you’ll want to check if Facebook‘s got your number. To do this, log into Facebook and visit this link, or head to your settings, and then click on ‘Mobile’ in the left sidebar. You’ll be able to see a list of all the phone numbers associated with your profile. Click ‘Remove’ below each number to de-list them.

Don’t give Facebook your phone number, just don’t

It’s worth noting that Facebook will display a warning about not being able to use this phone to receive notifications or upload photos and videos if you proceed with this step. I imagine this refers only to receiving notifications via SMS, and uploading content using MMS; I tried uploading a video via the Android app on my phone after removing my number, and it worked just fine.

After removing my number, I had a colleague search the social network with it to confirm that my profile wouldn’t surface, and that worked fine. So, now that we’ve got this bit out of the way, it’s time to set up two-factor authentication without a phone number.

The easiest way is to use an authentication app that doesn’t rely on your phone number, like Google Authenticator, Microsoft Authenticator, or Authy. Once you’ve set them up, any of these free apps will display a six-digit code (for a brief period, before it changes) that acts as a second password for your account. It’s better than SMS-based authentication, because it can’t be hijacked by an attacker engaging in SIM swapping or some method of intercepting your texts.

Credit: Authy
Here’s Authy in action, displaying a 2FA code for logging into Facebook

Of the lot, I prefer Authy, because it lets you sync your 2FA codes across your devices, and that’s essential for me because I switch phones often for hardware reviews. The other two work well, but don’t allow you to sync codes.

With that, you’ll have sorted out 2FA security for your account, without having to give up your phone number. Now, if only we could all just delete our accounts on the social network already…