Facebook is bleeding users, with external researchers estimating that the social network lost 2.8 million US users under 25 last year. Those losses have prompted Facebook to get more aggressive in its efforts to win users back—and the company has started using security prompts to encourage users to log into their accounts.
Sometimes, Facebook will send emails to users warning them that they’re having problems logging into their accounts, Bloomberg reported last month. “Just click the button below and we’ll log you in. If you weren’t trying to log in, let us know,” the emails reportedly read. Other times, Facebook will ask for a user’s phone number to set up two-factor authentication—then spam the number with notification texts.
I’ve been getting these text-spam messages since last summer, when I set up a new Facebook account and turned on two-factor authentication. I created the new profile with somewhat vague intentions of using it for professional purposes—I didn’t like the idea of messaging sources from my primary Facebook account, where they could flip through pictures of my high school prom or my young nephews. But I didn’t end up using the profile often, and I let it sit mostly abandoned for months at a time.
At first, I only got one or two texts from Facebook per month. But as my profile stagnated, I got more and more messages. In January, Facebook texted me six times—mostly with updates about what my ex was posting. This month, I’ve already gotten four texts from Facebook. One is about a post from a former intern; I don’t recognize the name of one of the other “friends” Facebook messaged me about.
The texts are a particularly obnoxious form of spam, and instead of making me want to log into Facebook, they remind me why I’m avoiding it. It’s painful to see my ex’s name popping up on my phone all the time, and while my intern was great at her job, I’m not invested in keeping up with her personal life. Facebook has never been great at mapping these kinds of relationships, and that’s likely part of the reason it’s losing users—as more and more people sign up for the service and make connections with each other, Facebook hasn’t figured out how to prioritize updates from the people you’re closest to over those from people you haven’t spoken to in over a decade. For a user, this means being swarmed with information you don’t really want.
What’s most frustrating is that Facebook has taken a security feature like two-factor authentication—which gives users valuable protection from phishing and account takeovers—and perverted it into a tool for spam. It’s a decision that prioritizes engagement over security and will teach users who are experimenting with two-factor for the first time that it’s not worth the hassle, ultimately degrading user safety. “Abusing a security technology like 2FA by turning it into a marketing opportunity is pretty much the most short-term clever, long-term foolish thing Facebook could do,” Matthew Green, a cryptographer at Johns Hopkins University, tweeted.
When Gabriel Lewis, a software engineer, tweeted about replying to the texts and having his responses posted on his Facebook wall, I decided to try it for myself. I’d just gotten a text from Facebook letting me know that my former boss had commented on a post.
“Abusing a security tool like 2fa to spam users is a really shitty, shortsighted thing to do,” I texted back.
One minute later, I got a text from my former boss. “Hey did someone break into your FB?” he asked. My rant about two-factor authentication had showed up as a comment on vacation photos he’d posted two weeks ago.
I went to his page to look for the comment, but I couldn’t find it. When I asked him where it was, he sent me a screenshot. “I deleted it,” he told me. “It was so mean!” I felt embarrassed and quickly went through his vacation pictures to apologetically like them all.
If you give your phone number to Facebook for two-factor authentication, you won’t just get an extra layer of security and a slew of thirsty texts. Facebook also uses your number to match you up with potential friends—if anyone you know has uploaded their phone contacts to Facebook, the company will match that up with your two-factor authentication number and suggest you in its “People You May Know” tool.
Fortunately, you can opt out of Facebook’s endless texts. In your account, navigate to “Settings” and then “Notifications.” If you’re using two-factor authentication, text notifications will be on by default, but you can toggle them off.
You can also use alternative methods of two-factor authentication, like a code generator app or a U2F key, to verify your identity on Facebook. These methods are more secure than texted codes, which can be stolen if an attacker hijacks your SIM. To change your two-factor method, go to your Facebook settings and then click “Security and Login.” If you want to remove your phone number altogether, Facebook will require you to use both a code generator and a U2F key.
“We give people control over their notifications, including those that relate to security features like two-factor authentication,” a Facebook spokesperson said. “We’re looking into this situation to see if there’s more we can do to help people manage their communications. Also, people who sign up for two-factor authentication using a U2F security key and code generator do not need to register a phone number with Facebook.”
Updated at 7:20 p.m. with a statement from Facebook.