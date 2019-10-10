First Facebook, and now Twitter. On Tuesday, Twitter admitted that it allowed marketers to access the phone numbers that users had registered with the site. Many had given their numbers to enable two-factor authentication (2FA)—that process where a website sends you a text message to verify it’s really you who’s logging in. Users didn’t realize they were also allowing marketers to verify who they are in order to build better advertising profiles incorporating Twitter user data. (Twitter says this was an inadvertent mistake and that it has closed the hole.)

That’s especially scary because our phone numbers have become powerful tools to identify and track us, not just for companies but for anyone who wants to look up our personal information stored in a myriad of public records such as court filings, voter registration, real estate transactions, and marriage records.

Twitter’s admission is a nasty case of déjà vu, since Facebook admitted to misusing phone numbers for ad targeting about a year ago. “For a lot of people, [text-message authentication] is a totally reasonable protection that you should feel comfortable using,” says Gennie Gebhart, a researcher on consumer privacy and security at the Electronic Frontier Foundation. “But Facebook was irresponsible, and now we can’t have nice things.”

In many ways, it may be too late to prevent these big social networks from using your phone number how they see fit. Facebook told me that they will only delete your phone number from their records if you delete your entire account. (And much as I’ve been tempted to, I’ve been unable to take that drastic step.) Twitter requires a phone number for 2FA, even if you use an app, although it says that may be changing.

Fortunately, there are other ways to secure your online accounts without handing over a phone number. Facebook, Twitter, and most major sites allow a second 2FA method that uses a free app to generate short-term codes you can enter into the site to verify your identity, just as you would with a code that is texted to you.

Authentication apps remain the best way to secure your online accounts, particularly Authy, a free app for Android, iOS, Windows, and macOS that’s intuitive to use. After you register your Authy account with the websites you use, the app backs up your 2FA setup registration to the cloud and syncs it across multiple devices, making it easy to log in even if your phone breaks or is lost. (Though that makes it a tad less secure.)