The absolute fail of Facebook's 2-factor
I was worm-holed out of the Metaverse and how you could be too
We live in a two-factor, authenticated world. You sign in with a password. You get a text or a push notification from a 3rd party app. It makes the digital world more secure.
I get it.
And I agree that, typically, the added security outweighs the temporary annoyance or inconvenience of setting up two-factor.
That is, until the whole apparatus falls apart. As it has with my Facebook account.
The social media giant, with its multi-billions, has likely spent multi-millions of Research and Development dollars. Leveraged the time and energy of sharp and creative minds to design, test and user-experience the heck out of this process.
But somehow they all missed this one thing!
There’s a gaping hole users can fall through, and I’m calling it Facebook’s two-factor hell loop.
Introducing the Facebook two-factor hell loop
After submitting a password, users get a pop-up and require a 6-digit code (which is sent by a code generator or SMS) in order to verify and then access their account.
If a code is not generated or received, Facebook’s only solve is to require the user to open the app on their phone and follow the above instructions. However, if a user cannot clear the two-factor stage, they cannot access their account via the app or desktop in order to make any changes.
In a nutshell, if you lose the ability to get a generated code from Facebook’s two-factor feature, their only solve is for you to change your settings within your account.
And that’s the problem. Without the code, you can’t access the account.
It’s the “I don’t have a job because I don’t have experience/ I don’t have experience because I don’t have a job” version of account log in. Essentially I've been worm-holed out of Facebook’s Metaverse and can’t get back in.
How I lost access and how you could too
As far as I can tell, when I changed phones in the New Year, the hell loops slowly started to form a silent, invisible wormhole. It quietly, subversively pulled me through. And now there's no way back in.
I didn’t change my number, just my phone, where I was sent two-factor notifications for both app and desktop logins.
After a routine password change for a corporate FB account as a security measure, suddenly I no longer received the 6-digit, two-factor code. Ever since that moment I’ve been unable to access my personal Facebook account or the handful of business Pages I help to manage.
That’s it. Poof!
It’s not me it’s you
While there may be an obvious answer to this problem, to conjure Seth Godin’s principle, Facebook's two-factor is broken.
I’ve done everything that an end-user can do, including:
Read all of FB wikis (like these, which provide no exit from the hell loop),
reset the password multiple times,
had designated friends verify my identity and send a series of codes to prove its me (note: it was never an identity issue),
chatted with a FB support tech who sent 3rd party articles like this in an attempt to resolve the issue, but which, ironically, did not address the fact that the two-factor wall prevents me from accessing the account itself to make any changes,
considered having my wife report me deceased so that I can at least shut down the accounts, and then
read the articles and blogs of people also locked out by two-factor, like this guy, to at least feel some camaraderie.
What I didn’t do and what you should do right now
I didn’t save my authentication key. I didn’t realize how important it was. It’s not intuitive to stop and save this code when you’re out-and-about on your phone. But this is critical (so if FB access is important to you, maybe go save it now…or after you finish reading this article).
I didn’t expect I’d lose access on both the app and the desktop at the same time.
I haven’t yet been able to connect with a person at Facebook who can address a two-factor reset question directly (someone who is able to give more info than what’s already accessible on FB wikis, like this). If I could, I think the problem could be solved in approximately 41 seconds. My hunch is that someone simply needs to reset my authenticator. But Facebook help from a human seems virtually impossible for a normal end-user like me.
Key takeaways to avoid the hell loop
The key warning to individuals, artists or business owners with personal accounts or Pages on Facebook is that you should save and file your authentication code to avoid a situation like this. If you change your phone it can prevent you from getting worm-holed from your account through a two-factor hell loop.
Also, if you have two-factor set up, before you change phones, make sure you read a wiki on what to do to ensure continuity between devices. Note that the article linked here doesn’t get the SMS factor right; as I’ve learned the hard way, continuity is not guaranteed.
Life after Facebook
There’s definitely (abundant) life after Facebook. What’s sorta funny about all of it is that I don’t miss being on the platform (not the doom-scrolling and definitely not the hot political takes).
I do miss the ability to purge-sell on Marketplace and to message friends and family directly. And I miss connecting directly with friends and followers of my production studio or writing pages and I've lost all functionality between my IG app and FB. This is rather inconvenient.
If you follow me on Facebook…
… now you know why I've been absent or haven’t returned your messages. I'm not trying to ignore you. But, if you found me again, you can follow me here and we can resurrect our digital friendship.
Feel free to drop me a message here to let me know how your cats are doing, if you're still interested in the espresso machine I was selling on marketplace (it's a Breville that retails for $250 that I'll part with for $85), or let me know if I've missed any really great conspiracy theories in the last 5 months.