It’s not unusual for sites and services to offer additional forms of protection on top of regular security features. Some of the bigger ones even go the extra mile, protecting from attacks up to a potential nation state level.

The most famous example of this recently is likely Google. Its Advanced Protection Program (APP) was deployed to warn people that Fancy Bear was on the prowl. We often see advanced security features like the APP feed back into security features for regular service users too. This is all very good.

What isn’t perhaps quite as good, is when not taking up the offer of additional security features results in a total lock out of your account. This is the complaint that’s been raised by many Facebook users over the last few days.

What happened?

Facebook has a service similar to Google’s APP which it is rolling out to users. That service is called Facebook Protect, and it’s being expanded to more and more countries. As per Facebook’s own description of what it does:

We’re expanding Facebook Protect, our security program for groups of people that are more likely to be targeted by malicious hackers, such as human rights defenders, journalists, and government officials.

No action is required unless you’re prompted to enroll.

We’re also making it easier for these groups of people to set up two-factor authentication.

Sounds like a good plan! However, the roll out and various interactions with Facebook Protect haven’t gone well for everybody. At the beginning of March, people started to receive emails out of the blue which also included a clickable button to set everything up. It also pointed out that if recipients didn’t enable the feature, they’d be locked out of their account.

When is/isn’t the promise of a lockout real?

This immediately threw recipients into confusion, as they tried to figure out if they were being phished:

The fact that Facebook said everything was “fine” if they navigated to the site directly didn’t help ease the feelings of confusion. While the head of security policy at Meta confirmed the mails were real, once the deadline had passed people started to flag issues with getting back into the site:

The lockout begins

As it turns out, many people are now indeed experiencing some form of lockout. Worse, they’re having major issues trying to resume business as usual. Most of the complaints I’ve seen are focused on the fact that they thought the clickable button email was some sort of scam attempt:

This on its own is fairly problematic for those affected. It’ll no doubt be fixed, but if you’re one of the people who ignored the mail, unfortunately there’s no ETA for a fix. What I find particularly interesting in this story is the knock-on effect on additional Facebook/Meta services.

A virtual headache

At launch, users of the Oculus Quest 2 headset found they needed to have a Facebook account in order to play. If the account was banned, bad luck – no more Oculus Questing for you. While it’s been mentioned a few times that Facebook-free headsets will be with us at some point, this doesn’t help people caught by the Protect problem. This is because not only will you lose the ability to use your headset if banned, you’ll also suffer the same fate if the account is disabled for some reason.

Locked out due to not clicking through on an email from the start of March? It’s not just your social platform impacted, it’s your headset, too. As one device owner put it, they’ve had their headset “bricked” to protect them from hackers. They too are suffering from the various options to re-enable things not currently working.

As we mentioned above, this will no doubt be fixed down the line. However, a lot of people really need access to their accounts and devices as soon as possible. For now, it’s a case of the waiting game – all because of an unexpected email and a suspicious looking button.