Go without your number, boost Facebook safety
A phone number can mean much more when it’s stored on Facebook’s servers – even if you provided it only to help secure your account.
Last February, software engineer Gabriel Lewis tweeted that adding your mobile number to your account as a two-step verification method (in which you confirm a login by entering a one-time code sent to your phone) could result in Facebook sending you text-message notifications about everyday activity on the social network.
At the time, Facebook apologized and said the text spam was an error.
In March, another developer, Jeremy Burge, tweeted that numbers you add for two-step verification still aren’t reserved for that security use. Instead, other Facebook users can search for them – and advertisers who upload contacts lists, called Custom Audiences, also can match you that way.
That time, Facebook did not apologize, noting that it hasn’t required you to secure your account with a phone number since May 2018.
After a month of correspondence with USA TODAY, Facebook said it had changed its system to stop numbers newly added for two-step verification from being matched for advertising.
The correct response is to take Facebook up on its earlier, implicit invitation to remove your number from your account – but only after switching to a different form of two-step verification.
The cheapest option is to use the “Code Generator” authentication option built into Facebook’s mobile app, which will compute a one-time code that you can then enter into your browser when Facebook thinks your login falls outside of your usual activity.
This is free and fairly simple, but you need to set this up anew every time you switch phones. And Facebook’s mobile app gathers more data than its mobile Web site.
You also should consider using a security key, a special USB key that confirms your login by matching a unique cryptographic signature for a site. They’re not free but are cheap, starting at $20 from the best-known vendor, Yubico; Amazon sells other models, also certified by the FIDO (Fast IDentity Online) trade group, for as little as $10.
Buy one, add it to your Facebook account, and from then on you can confirm a login by popping it into the USB port on your desktop or laptop. (Some also communicate with phones and tablets via NFC wireless.) The key can’t be fooled by phishing sites because it will ignore pages that don’t sit at the right domain name.
And the key will work even if you change phones or lose yours. Plus, you can use the same key to secure your Google, Twitter and Microsoft accounts, among others.
Rob Pegoraro is a tech writer based out of Washington, D.C. To submit a tech question, e-mail Rob at rob@robpegoraro.com. Follow him on Twitter at @robpegoraro.