Facebook removes two-factor authentication mobile numbers from search
By Lucian Constantin
Facebook users who have associated a mobile phone number with their accounts in order to enable the social network’s “Login Approvals” security feature can no longer be found on the website based on those phone numbers, the company said Monday.
Facebook’s search system provides reverse look-up functionality that allows users to find other people on the website by searching for their phone numbers or email addresses instead of their names.
“As we constantly iterate on our security tools to better protect our users, we have disabled the reverse look-up functionality for those using Login Approvals until we can provide new systems to make this functionality optional,” a Facebook spokeswoman said Monday via email.
Facebook “Login Approvals” is a two-factor authentication feature that requires users to input special codes sent to their mobile phones in addition to their regular passwords when attempting to authenticate from a new device. The feature is designed to prevent account abuse in cases where the user’s password is compromised.
The new restriction only applies to mobile phone numbers used for two-factor authentication, not every phone number added by users in the “Contact Info” section of their profile pages, the Facebook spokeswoman said.
Last week, Facebook limited the rate at which phone numbers can be searched on its mobile website in order to block a phone-number harvesting method disclosed by a security researcher.
Suriya Prakash, an independent security researcher from India, publicly reported on Oct. 5 that Facebook’s reverse look-up feature can be abused to search for thousands of sequential phone numbers in order to find any Facebook profiles associated with them.
Users can associate multiple phone numbers with their Facebook accounts and can specify if they should be visible to the general public, their friends, or only to themselves. However, restricting who can find them on the website by searching for those phone numbers is done from a different option under “Privacy Settings” > “How You Connect” > “Who can look you up using the email address or phone number you provided.”
The default setting for this option is “Everyone,” but it can be changed to “Friends” or “Friends of Friends.” There is no option to disable it completely.
The search restriction for “Login Approvals” phone numbers is temporary, and the company is working on implementing a system that will allow users to decide if they want to make them searchable. However, the company did not clarify whether the upcoming system will allow users to prevent other people from finding them based on any of the phone numbers they added to their profiles.