Setting up two-factor authentication is usually a recommended move to keep important accounts secure — but on Facebook, adding a phone number could impact privacy. After a tweet from a user complaining that Facebook required a phone number for two-factor authentication, Facebook’s iffy data practices are once again in the spotlight, this time with what actually happens to your phone number when adding two-factor authentication.
The practice coming into question isn’t new — just highlighted by a new round of complaints. Facebook has offered two-factor authentication since 2011. The company says that phone numbers added to an account, including areas outside of two-factor authentication, are then linked to the account. Facebook uses those phone numbers for more than just security, using them for ad targeting if a business also has that same phone number and allowing other users to find their profile by typing the phone number into the search bar.
The tweet sparking the latest round of criticism comes from the owner of Emojipedia, Jeremy Burge, who added a phone number during a time when Facebook required managers of large Pages to use two-factor authentication. While Facebook no longer requires a phone number for accounts with a large number of followers, the network also doesn’t appear to have an option to delete the information once added to the account.
As Burge points out in his tweet, there is no way to disable the tool where other users can look you up by phone number. Users can adjust the privacy settings to change the settings from “everyone” to just “friends,” but there’s no option to disable entirely. Burge points out that Facebook shares that phone number with Instagram and WhatsApp. He says that when he was forced to sign up for two-factor authentication, Facebook said it was “to help secure your account.” Now that statement tacks on “and more” at the end.
So what are Facebook users to do? Well, if you already provided Facebook with your phone number, there isn’t an option to delete it. (In some cases, Facebook may already know your phone number from when users could give Facebook access to their phone contacts to find their friends.)
But for users who haven’t yet given away their phone number, third-party apps will allow for two-factor authentication without a phone number. Apps like Google Authenticator and LastPass generate a unique code to activate two-factor authentication instead of a phone number.