Two-factor authentication, a security measure that requires a verification code as well as a password upon login, can help prevent phishing and account takeover.
But at Facebook, two-factor authentication ended up being used as a way to pester its users with notifications. As Gizmodo reported earlier this week, users who gave Facebook their phone number in order to receive two-factor codes via text messages also ended up getting hit with a barrage of notifications. Users' responses to these notification texts ended up being posted on their Facebook walls, or as comments on their friends' posts.
Security experts criticised the notification texts, arguing that they would discourage users from implementing an important security feature.
Facebook's chief security officer Alex Stamos now says that the notification texts were a bug, and the company will roll out a fix in the next few days.
Facebook is bleeding users, with external researchers estimating that the social network lost 2.8 million US users under 25 last year. Those losses have prompted Facebook to get more aggressive in its efforts to win users back - and the company has started using security prompts to encourage users to log into their accounts.
"The last thing we want is for people to avoid helpful security features because they fear they will receive unrelated notifications," Stamos wrote in a blog post. "We are working to ensure that people who sign up for two-factor authentication won't receive non-security-related notifications from us unless they specifically choose to receive them, and the same will be true for those who signed up in the past."
Facebook never intended to send SMS notifications to two-factor authentication users, Stamos said. He also apologised for any inconvenience caused by the notification messages.
Stamos also addressed the fact that responding to the notification texts resulted in unexpected posts on Facebook. "For years, before the ubiquity of smartphones, we supported posting to Facebook via text message, but this feature is less useful these days. As a result, we are working to deprecate this functionality soon," he said.
If you don't want to wait for the bug fix to roll out, you can always turn off text notifications in the "Notifications" section of your Facebook settings. You can also use a code generator app and a U2F key for two-factor authentication and avoid giving your phone number to Facebook altogether.