Facebook’s two-factor authentication (2FA) system has come under fire today for some bizarre design elements that seem to have gone largely unnoticed for quite some time. Bay Area software engineer Gabriel Lewis noticed earlier this week that Facebook was using the same phone number he used for 2FA, which offers a more secure way to log into an online account by asking for secondary confirmation of the user’s identity, to notify him about friends’ posts.
Even worse, it seems that replying to this message with any message, such as “Please stop,” auto-posts that message to your Facebook profile. (It doesn’t cause the messages to stop, either.) The Verge confirmed that this behavior occurs with any reply to a Facebook 2FA text message, and other users have popped up on Twitter to say both Facebook and Instagram have spammed them with notifications to their 2FA phone number. In Lewis’ case, he says he never opted in to notifications via text messaging in the first place.
Lewis’ case gained steam today when prominent technology critic and sociologist Zeynep Tufekci tweeted about it in a series of harsh criticisms of Facebook and its behavior regarding alleged “juicing” of its user engagement