Facebook: Two-factor authentication spam was caused by a bug

Two-factor authentication, a security measure that requires a verification code as well as a password upon login, can help prevent phishing and account takeover.

But at Facebook, two-factor authentication ended up being used as a way to pester its users with notifications.

A number of people have been receiving random notifications from Facebook after giving the social network their phone number for two-factor authentication. Worse, if they attempt to cancel that by replying to the message, say with STOP or CANCEL, Facebook would post their replies as a status update for all to see. Now, the social network has admitted that the issues were caused by a bug and promised to roll out a fix that will stop non-security-related notifications in the next few days.

“The last thing we want is for people to avoid helpful security features because they fear they will receive unrelated notifications,” Stamos wrote in a blog post. “We are working to ensure that people who sign up for two-factor authentication won’t receive non-security-related notifications from us unless they specifically choose to receive them, and the same will be true for those who signed up in the past.”

Facebook never intended to send SMS notifications to two-factor authentication users, Stamos said. He also apologized for any inconvenience caused by the notification messages.

Facebook Chief Security Officer Alex Stamos explained that the website didn’t intentionally spam people who signed up for two-factor using their phone numbers. After all, Facebook doesn’t want to deter people from signing up for 2FA. “[T]he last thing we want is for people to avoid helpful security features because they fear they will receive unrelated notifications,” he said.

The exec has also revealed that responses to the notifications got posted as status updates due to an old feature that allowed posting via test message. Obviously, that’s no longer as useful in a world where WiFi hotspots and mobile data are becoming more and more common. That’s why Facebook is now working to deprecate that feature, so those sick of getting random notifications can rage-reply to them without having to worry that their friends would witness their meltdown.

Until Facebook rolls out a fix, those affected by the bug can go to Settings > Notifications to switch off text notifications. (That’s what I did when I started getting these messages some months ago.) Those who’d rather not risk the same thing happening in the future can choose to use a physical key or one of those code-generating apps instead of giving their phone numbers to the social network.

Share on TwitterShare on FacebookShare on LinkedInPin it on PinterestSubmit to redditShare on Tumblr

Written by admin

Leave a Reply

Please support the site
Let's connect on our social media pages