Facebook’s admits that two-factor authentication flaw was caused by a bug

Facebook has once again been dragged into the firing line – but this time it isn’t the dreaded News Feed at fault, but rather the platform’s two-factor authentication (2FA) system. 

Facebook user Gabriel Lewis took to Twitter earlier this week to vent his frustration that the network was using the mobile number he provided for two-factor authentication to serve tailored SMS notifications without his consent.

There doesn’t appear to be a way to opt out of the notifications, either. Lewis never registered to receive them in the first place, so flicking the toggle didn’t work, and replying to the message automatically posted the response to his profile.

Related: How to delete your Facebook account

Facebook is embroiled in a number of class-action lawsuits over violations of the Telephone Consumer Protection Act, which – as noted by The Verge – states that a company is prohibited from contacting you without first being granted permission.

If the firm is found to have developed the SMS feature as a way to drive engagement, it could be on the receiving end of a slew of additional lawsuits. As it stands, however, Big F is playing the hoo-ha off as a bug that it’s looking into.

“I am sorry for any inconvenience these messages might have caused,” wrote Facebook’s Chief Security Officer – and former Chief Information Security Officer at Yahoo! – Alex Stamos in a blog post published on Saturday, February 17.

“We are working to ensure that people who sign up for two-factor authentication won’t receive non-security-related notifications from us unless they choose to receive them, and the same will be true for those who signed up in the past.”

“We expect to have the fixes in place in the coming days. To reiterate, this was not an intentional decision; this was a bug.”

Have you noticed a similar issue? Let us know over on Facebook or Twitter @TrustedReviews.