Facebook this week admitted one of its users logged into someone else’s account with just a phone number. A Facebook spokesperson told VentureBeat that both users had the same phone number associated with their accounts, so the person who presently had that phone number could access both.
What boggles my mind here is that there was no sanity check. Facebook accounts are tied to an email address. When you want to regain access to an account, you should be able to enter your email address, and if you don’t remember your password, enter your phone number.
But that’s not what Facebook offers. On the Facebook homepage, there’s simply a “Forgot account?” link below the login form. Note that it isn’t a “Forgot your password?” option like other online services offer.
Facebook is hoping to make it as easy as possible to get you back onto Facebook. Presumably, the company wants to prevent anyone who might not remember which email address is associated with their account from getting back in.
And so, you can type in any phone number or email address you want to “find your account.” Email addresses are rarely, if ever, recycled. But phone numbers are, and therein lies this specific snafu.
Facebook could fix this very easily, and it doesn’t have to sacrifice much convenience: Have the user type in their name first. You can certainly make the argument that one might genuinely not know or remember their email address and password. But everyone can certainly input their name before putting in a phone number.
Not just Facebook
I didn’t include Facebook in the headline because this is a balance everyone must strike. Weighing the pros and cons of security versus convenience applies to everything in tech. That means from your personal device all the way up to running a Fortune 500 corporation.
How do you unlock your phone and your laptop? Do you bother to secure them, and if so, with what? Do you use a swipe pattern, a password, your finger, or your face? Have you considered all the options and picked the most secure one, or the most convenient one?
There’s a lot more to consider when you’re running a company. There’s the software and hardware you rendition for your employees and the services you offer to your customers. As we’ve seen, even the tech giants make tradeoffs that they could end up regretting.
But the lesson here is simple: Inconvenience your employees and customers rather than put their privacy and security at risk.
ProBeat is a column in which Emil rants about whatever crosses him that week.