Protti’s team conducted a review starting in August that was not specifically aimed at 2FA-related privacy issues, but rather a broader overview, Reuters reports, as Protti is in charge of signing off on the quarterly privacy certifications mandated by the FTC settlement. The review was designed to make sure “the system updates supporting our privacy statements were done correctly,” Protti told Reuters. It also “adds more layers of process and rigor to the vetting of our technical work to make sure our public statements match our operations.”
(Although Facebook stopped requiring phone numbers for 2FA enrollment last May , phone number-based 2FA can still be the most usable option for many people.) In response to a tweet from a Page administrator pointing out this critical problem, Facebook has been forced to respond to user concerns and media reports.
For users who rely on their phone number to power Facebook’s 2FA login, the company isn’t going to fix the issue by default for those affected. Instead, users will have to remove their existing phone number and re-add them, Reuters reports.
“Based on feedback from the privacy and security communities, we have started updating our two-factor authentication feature so that phone numbers people add here won’t be used to suggest friends,” a Facebook spokesperson said in a statement.The change related to friend suggestions is only going into effect this week for users in Ecuador, Ethiopia, Pakistan, Libya, and Cambodia. Facebook will expand to users around the globe next year. It’s not clear, however, why Facebook is not making the change automatic for all users by default and when exactly it plans to separate 2FA phone numbers from friend suggestions in 2020.