Facebook’s two-factor authentication system auto-posts replies on your profile

Facebook’s two-factor authentication (2FA) system has come under fire today for some bizarre design elements that seem to have gone largely unnoticed for quite some time. Bay Area software engineer Gabriel Lewis noticed earlier this week that Facebook was using the same phone number he used for 2FA, which offers a more secure way to log into an online account by asking for secondary confirmation of the user’s identity, to notify him about friends’ posts.

Even worse, it seems that replying to this message with any message, such as “Please stop,” auto-posts that message to your Facebook profile. (It doesn’t cause the messages to stop, either.) The Verge confirmed that this behavior occurs with any reply to a Facebook 2FA text message, and other users have popped up on Twitter to say both Facebook and Instagram have spammed them with notifications to their 2FA phone number. In Lewis’ case, he says he never opted in to notifications via text messaging in the first place.

Lewis’ case gained steam today when prominent technology critic and sociologist Zeynep Tufekci tweeted about it in a series of harsh criticisms of Facebook and its behavior regarding alleged “juicing” of its user engagement metrics:

This is horrible. You give Facebook your phone number for login authentication; instead, it abuses it to SMS spam to drive up “engagement”, and when you reply to spam, is posts it on your wall. https://t.co/vPXdwHEyTM

— zeynep tufekci (@zeynep) February 14, 2018

Facebooook! Stop this. Growth “mindset” is at the root of so much of the worst effects of these platforms. You’d still be fabulously wealthy without this, Zuck. This is soulless. This is how we’ve train people to be phished. Aaaarrgh. https://t.co/8ySbb7Utt4

— zeynep tufekci (@zeynep) February 14, 2018

There’s a legal layer to this situation, as well. Facebook is currently embroiled in a number of class-action lawsuits over alleged violations of the Telephone Consumer Protection Act, or TCPA, which states that no company may contact you via text without being given express permission first. In those past cases, Facebook was spamming users with birthday reminder text messages and other automated spam, even when users opted out of text message notifications or had never given Facebook their phone number.

It is unclear whether this more recent behavior is a bug, though the auto-posting feature certainly looks like one. If the company is indeed intentionally using 2FA phone numbers to lure users back to Facebook without getting those users’ express user consent, it could open the company up to lawsuits.

In a statement, a Facebook representative did not address whether the auto-posting of replies was intentional or a bug. (The Verge is seeking clarification on this matter.) The company also says that it’s looking into the text notification issue, and that it’s 2FA system can be used with a code generator if any user does not wish to provide a phone number. “We give people control over their notifications, including those that relate to security features like two-factor authentication. We’re looking into this situation to see if there’s more we can do to help people manage their communications,” the statement reads. “Also, people who sign up for two-factor authentication using a U2F security key and code generator do not need to register a phone number with Facebook.”

A lot of people are suggesting the Facebook SMS spam is a bug. Bullshit. Someone at FB made a deliberate decision to “re-engage users” by spamming all those mobile phone numbers 2FA users had entered. No bug here at all.

— Matthew Green (@matthew_d_green) February 14, 2018

My hypothesis: they built this feature for users with low-bandwidth to post statuses via SMS but are using the same service to send 2FA confirmation

— Francesco Polizzi (@FrancescoSTL) February 14, 2018

Update at 7:35PM ET, 2/14: Added statement from Facebook.