Facebook is facing a new wave of criticism for letting users identify individuals by phone number even when they only gave Facebook the number for the purpose of two-factor authentication.

Why it matters: Critics are saying a measure that users take in order to protect their security is instead, in Facebook's hands, exposing their privacy.

Details:

Two-factor authentication (2FA) is a security measure that helps protect access to user accounts by tying that access not only to a password, but also to a secondary device — often a phone.

Reports last year showed that Facebook was already targeting ads based on phone numbers users shared for two-factor authentication.

A Twitter thread detailing the latest issue went viral on Sunday.

Last year, Facebook blocked users from searching directly for profiles by typing in phone numbers. But Facebook will still link phone numbers and profiles under other circumstances, including when you upload an address book to help Facebook find your friends, users say.

Facebook allows you to change a default setting in order to hide your phone number, but even when you do, users have reported that some kinds of searches based on the phone number will still come up with your name.

Last year, Facebook began offering alternatives to phone-number based 2FA and no longer requires a phone number.

What they're saying: