Facebook users, over the past week, have reportedly been getting SMS notifications from the social media website after signing up for the two-factor authentication security feature. While the two-factor authentication is a vital part of protecting online accounts by adding a second layer of security, the text messages, interestingly, were not related to any security features. This gave rise to speculation that Facebook was trying to increase user engagement However, Facebook has now responded to the issue saying that it was a bug, and that such notifications were not meant to be sent.
While two-factor authentication is considered a vital measure of security, requiring an attacker to have both the user's password and physical access to a registered device before being able to log into the user's account. However, on Facebook, the system appears to have ended up being a problem for its users, thanks to SMS notifications. Interestingly, users also complained that if they replied to the SMS notifications, these would appear as status updates on Facebook.
Alex Stamos, Facebook Chief Security Officer, explains in a blog post that it was not Facebook's intention to send non-security-related SMS notifications to phone numbers, and also apologised for the inconvenience caused to users. He wrote, "The last thing we want is for people to avoid helpful security features because they fear they will receive unrelated notifications."
Facebook has also promised that the bug will be fixed soon. "We are working to ensure that people who sign up for two-factor authentication won't receive non-security-related notifications from us unless they specifically choose to receive them, and the same will be true for those who signed up in the past. We expect to have the fixes in place in the coming days," said Stamos.
Responding to why users responses to SMS notifications would appear as status updates, Facebook again said it was an unintended consequence, and was enabled by an older functionality where users could post to Facebook via text message. This functionality would soon be deprecated, Facebook said.
While you wait for Facebook to come out with a fix, you can go to Settings > Notifications to switch off text notifications. You can also use a code generator app and a U2F key instead of providing your phone numbers to Facebook when enabling 2FA.