Facebook 2FA is also one account per phone number

[alx9r]

I just witnessed the following on Facebook:

• user has two accounts on Facebook: one for a business and another for personal use (I'll call these account1 and account2.)
• user enables 2FA for account1 using phone number and Google Authenticator
• user enables 2FA for account2 using same phone number and Google Authenticator
• Facebook sends the following email to the address associated with account1:

"You recently removed your primary phone from your account. Because of this, we turned off login approvals on your account to ensure that you don't get locked out when using an unrecognized computer or mobile device to login."

• user is now able to login to account1 on a new device with just their password and no second factor
• checking the 2FA settings on account1 reveals 2FA is indeed turned off for that account

  The Facebook Entry Should have a Hazard Symbol like Twitter

À la the twitter entry, the Facebook entry should have a hazard symbol that states something like the following:

"SMS required for 2FA, 1 account per phone"

[mxxcon]

Perhaps this should be reported as a bug to Facebook?

[alx9r]

@mxxcon It's certainly a limitation, but why would "1 account per phone" be considered a bug?

[mxxcon]

Because it might not be an expected behavior. In the case of twitter they explicitly tell you that it's 1:1 relationship, where as here they seem to silently remove 2fa from your 1st account.

[alx9r]

I see. That is true. I wonder if Facebook has a bug submission process...

[mxxcon]

There's https://www.facebook.com/help/326603310765065/ and there's https://www.facebook.com/whitehat/

[alx9r]

I reported this by following the instructions at https://www.facebook.com/help/326603310765065/.

[inputsh]

No, definitely not. On Facebook's Terms of Service it clearly says that having two separate Facebook accounts is against the rules (section 4, point 2).

Considering it, no, it's not a bug. It's perfectly normal for a Facebook person to have a phone and limiting one person per phone is perfectly normal for their service.

[mxxcon]

@aleksandar-todorovic except when you have a personal facebook account and a business one, which you now can not protect with 2fa...

[inputsh]

@mxxcon Do you by "business account" mean a Facebook page for your company/project?

[mxxcon]

@aleksandar-todorovic for my company/project/organization/client/however else it can be used.

[jamcat22]

Yeah. Facebook Pages can have separate accounts that aren't linked to a personal account.

[jamcat22]

Closing due to #1250.