Facebook didn’t mean to send spam texts to two-factor authentication users

Facebook Chief Security Officer Alex Stamos apologized for spam texts that were incorrectly sent to users who had activated two-factor authentication. The company is working on a fix, and you won’t receive non-security-related text messages if you never signed up for those notifications.

Facebook says it was a bug. But calling it a bug is a bit too easy — it’s a feature that was badly implemented as it’s clear that Facebook has been treating all phone numbers the same way. It doesn’t matter if you add your phone number for security reasons or to receive notifications. Facebook put all of them in the same bucket. It’s poor design, not a bug.

“It was not our intention to send non-security-related SMS notifications to these phone numbers, and I am sorry for any inconvenience these messages might have caused,” Stamos wrote. “We are working to ensure that people who sign up for two-factor authentication won’t receive non-security-related notifications from us unless they specifically choose to receive them, and the same will be true for those who signed up in the past. We expect to have the fixes in place in the coming days. To reiterate, this was not an intentional decision; this was a bug.”

And yet, this is particularly bad because it creates a bad narrative around two-factor authentication. While Facebook lets you use a code generator mobile app or a U2F USB key, many people rely on text messages for two-factor authentication. It’s a second layer of security so that strangers who have your password can’t connect without the second factor.

Everyone should enable two-factor authentication. But people might hesitate now that they know Facebook has used a security feature to improve engagement in the past. I’d recommend turning it on with a code generator.

Does it mean tech publications shouldn’t have shared this information? Of course not (and I’m looking at you, former Facebook security engineer Alec Muffett). If nobody had written about the issue, Facebook would still be spamming users and sharing great engagement numbers in its quarterly earnings release.

The fact that Facebook poorly implemented a security feature is… Facebook’s fault.

In addition to that, Facebook is also disabling posting to Facebook via text messages altogether. Earlier this week, a tweet went viral as Gabriel Lewis tried disabling those text notifications and ended up sharing posts on Facebook:

The company says that this feature may have been useful at some point when smartphones were less popular, but there’s no reason to keep it around now.