Facebook forces you to expose your phone number to the whole world in order to turn on two-factor authentication

Last September, Facebook drew fire for abusing the phone numbers users provided for two-factor authentication messages, sending spam advertising messages over the same channel -- now, rather than reforming its ways, Facebook has doubled down on poisoning the security well, by adding a no-opt-out policy of allowing anyone in the world to search for you by phone number if you provide that number for two-factor auth.

This feature has been around for a long time (Facebook promised to remove it in the wake of the Cambridge Analytica scandal), but what's changed is that Facebook is now requiring some users to turn on two-factor authentication (which is a good practice, though SMS provides the worst security of all 2FA methods); that means that millions of Facebook users are now exposing themselves to potentially serious privacy risks as a condition of securing their Facebook accounts.

We are in a great race to improve computer security before the existing bad-security debt comes due, creating breach-quakes that make all the infosec disasters to date look like the mere tremors that they are. Educating users about 2FA is a huge part of that process, and Facebook is poisoning the well, just because.

This screw-up, intentional or not, could discourage adoption of two-factor authentication, leaving people at risk of getting hacked. Facebooks decision to use phone numbers that were given to it for a specific security purpose for reasons other than security are a betrayal, and is training people more broadly that turning over more personal information to an internet company for security features could backfire.