Hey Facebook: Quit discouraging people from using 2FA

Facebook should not be monetizing users’ two-factor authentication (2FA) phone numbers. The practice will discourage some users from enabling 2FA, a net loss for security that makes it easier for criminals and spies to breach user accounts.

The gargantuan Facebook monster is determined to gobble up every little bit of data about you, including what phone number you register for 2FA — then using that phone number to manipulate you with targeted advertising, according to reporting by Kashmir Hill yesterday at Gizmodo.

Beyond the obvious creepiness factor of building shadow profiles of users, any move that weakens user security must be questioned.

Time has shown that most users are unable to generate and use strong passwords. Worse, password reuse is common. 2FA is the battle-tested solution to mitigating that risk. Anything that discourages users from enrolling in 2FA programs to secure their accounts puts those users at risk.