First Facebook, and now Twitter. On Tuesday, Twitter admitted that it allowed marketers to access the phone numbers that users had registered with the site. Many had given their numbers to enable two-factor authentication (2FA)—that process where a website sends you a text message to verify it’s really you who’s logging in. Users didn’t realize they were also allowing marketers to verify who they are in order to build better advertising profiles incorporating Twitter user data. (Twitter says this was an inadvertent mistake and that it has closed the hole.)
That’s especially scary because our phone numbers have become powerful tools to identify and track us, not just for companies but for anyone who wants to look up our personal information stored in a myriad of public records such as court filings, voter registration, real estate transactions, and marriage records.
Twitter’s admission is a nasty case of déjà vu, since Facebook admitted to misusing phone numbers for ad targeting about a year ago. “For a lot of people, [text-message authentication] is a totally reasonable protection that you should feel comfortable using,” says Gennie Gebhart, a researcher on consumer privacy and security at the Electronic Frontier Foundation. “But Facebook was irresponsible, and now we can’t have nice things.”
In many ways, it may be too late to prevent these big social networks from using your phone number how they see fit. Facebook told me that they will only delete your phone number from their records if you delete your entire account. (And much as I’ve been tempted to, I’ve been unable to take that drastic step.) Twitter requires a phone number for 2FA, even if you use an app, although it says that may be changing.
Fortunately, there are other ways to secure your online accounts without handing over a phone number. Facebook, Twitter, and most major sites allow a second 2FA method that uses a free app to generate short-term codes you can enter into the site to verify your identity, just as you would with a code that is texted to you.
Related: Here’s how to wrangle your passwords without going crazy
Authentication apps remain the best way to secure your online accounts, particularly Authy, a free app for Android, iOS, Windows, and macOS that’s intuitive to use. After you register your Authy account with the websites you use, the app backs up your 2FA setup registration to the cloud and syncs it across multiple devices, making it easy to log in even if your phone breaks or is lost. (Though that makes it a tad less secure.)
Google, LastPass, and Microsoft also provide handy free authenticator apps for Android and iOS. And popular paid password managers like 1Password and Dashlane also incorporate a 2FA function.
Some sites and apps make it even easier by replacing codes with push notifications. When you log in to a website, you get an alert on the authenticator app and press a button to confirm your identity. A site called Two Factor Auth provides an extensive list of whether major sites offer authentication based on your phone number or if they’ll also accept app-based 2FA.
What if you still need a phone number?
While most major sites allow authenticator apps, some are still stuck on phone numbers. But you have an option here too: Instead of your cellphone number, give them a Google Voice number.
Related: These 11 Facebook privacy tweaks put you back in control
For years, Google has allowed people to get free virtual phone numbers that can receive calls and texts just like a real number. (You can access it online or have messages forwarded to another phone.) Using them when you sign up for services is a great way to cut down on spam phone calls and also ensure that the company doesn’t have your real phone number forever. (A dedicated Gmail for spam is another good idea.)
One catch: Google requires you to provide a real phone number when you sign up for Google Voice. But you can delete the number in your settings after you’ve set up the service, though that means you won’t be able to have messages or calls forwarded to that number. Unlike Facebook, Google at least claims that it will honor user requests to delete their data. Even if it’s lying, you’re giving your real number to just one site instead of every site that requires a phone number for 2FA.
Still, there are times when you may want a company to have your real number. Banks may support authenticator apps for 2FA, or work with a Google Voice number. But if a crook has been messing with your bank account, you might want to get an alert about that ASAP.