Companies must stop requiring people to link their phone numbers
With the growing number of people working remotely from anywhere this presents a major challenge for people who travel frequently. Each country is a new sim card and a new phone number. The only way to get past this is to have one universal phone number. Something like Google Voice. However, some places are now blocking "prepaid" phone numbers. Like, okay. I guess I'm just not allowed to use your app. Stick to emails. People barely ever change their emails.
50 comments
[ 2.8 ms ] story [ 46.9 ms ] threadEverything else has a statistical probability of correlating with a natural person. The probability of phone numbers as identification is good enough. In fact it is great.
All or nothing reasoning is incorrect. It is only useful when you need to capture literally every case, which isn’t the problem here.
Nobody's tried to go into the business of "verifying individual humans" and succeeded? Seems like that could and should be just a single facet of a very big online ID service.
Basically something like Oauth but for real ID, where you can approve/deny requests for variable amounts of identifying information.
It's not like all that information isn't floating around anyway. CreditKarma certainly knows enough about me to offer such a service.
[1] https://www.veriff.com/pricing#starter-plans
At one end would be a service where you verify you identity when signing up to the service by showing up physically and showing them your government issued photo ID. They photograph you and fingerprint you and take your signature and add all that to their records.
Let's call this service a root identity service. Banks would be great candidates for providing root identity services.
You can use this service to create a verified identity with other services. You would generally only do this with the most important other services, such as your email provider and/or if you have your own domain your domain registrar.
The way you would do this is when signing up with your domain registrar, say, you tell them that you want to verify your identity with your root identity provider. There would be a standard protocol for the registrar to query your root identity provider and for you to tell the identity provider that you are indeed trying to prove yourself to the registrar.
Once that is done, the registrar can set up your account as normal with a username and password and whatever 2FA methods they support. But since you have verified your identity with your root provider, the domain registrar would let you set an option to require re-verification with the same root provider if you need to recover your account after forgetting your password or losing your 2FA device, and to prohibit ever changing the root identity associated with the account.
Someone might steal your domain registrar account somehow, but you can always prove you are the owner and get it back as long as you have not lost control of your root identity account. If someone manages to get control of that, you can get that back first by going in person to an office of the root provider with your government ID, and having them in person verify that, and that you match the other ID information they have on file.
Now you can make Google accounts and Facebook accounts and similar. Those accounts you just associate with an email address. If one of those accounts gets compromised, you recover by going through the usual common recovery method that involves proving you control the email address associated with the account.
You can then use things like "sign in with Google" or "sign in with Facebook" for other accounts, confident that if someone hijacks your Facebook or Google account, you will be able to recover that, and so recover the accounts you use Facebook or Google to sign in to. (You still have to worry about Facebook or Google themselves kicking you off of course, but that's not a problem of identity verification so is beyond the scope of this comment).
The idea is you build a chain of identity, with different links in the chain making different choices in the trade off between security and convenience. You decide where you want each thing to be in that chain, but as long each identity chain leads back to a root identity provider you can rebuild the links and recover any lost or stolen accounts.
It's growing, but it's still tiny. Most companies doing this are willing to lose users who don't have permanent phone numbers in order to gain a quick, easy, semi-reliable way to prevent fake account registrations.
> Stick to emails. People barely ever change their emails.
This is factually wrong. People get married, get divorced, change employers, graduate from school, etc. Email addresses change a lot.
Your suggestion also misunderstands (or ignores) the entire point of requiring phone numbers. They're not as easy to register as email addresses, so you're more likely to get a 1:1 relationship between phone numbers and individuals.
I could literally go out right now and activate quadrillions of valid email addresses within 20 min, and all of them would work. I can't do the same with phone numbers.
No one needs quadrillions of anything, thousands is enough to do 99% of tasks.
How?
You can look up carrier data on a phone number easily enough, and if you're in the industry you have a general idea of which carriers are the ones that actually follow the rules for registering a number. You filter on the ones that don't.
Nothing worked.
Not cheaply. Even on cheaper VoIP services, that would cost you $1,000+/month. Not a great price point if you're trying to spam something like a social network or post fake reviews, because each of your accounts is unlikely to generate enough to pay for the number.
Plus, many of the numbers will already be blacklisted because they're VoIP numbers or because they've been used for spam already.
> No one needs quadrillions of anything, thousands is enough to do 99% of tasks.
My point is that there are ~8 billion possible phone numbers in the US, when you account for reserved numbers. Many are already in use, many are blacklisted. Each costs $6-12/year to own through the major VoIP services.
There are essentially infinite email addresses, and each costs ~$0/year.
Which one do you want to use as a point of friction for signing up for your service?
I had an email startup. Emphasis on had. People are very reluctant to switch email providers and email addresses.
What may change more are business, affiliation, and ephemeral email addresses, but most people don't go around changing their personal email addresses like bathroom wallpaper.
Phone numbers really only change when someone moves to a different country or absolutely can't port their number, which is rare these days. They change much less frequently than phone numbers change.
Source: API logs from an auto insurance backend that I maintain
Yeah back in the day, people had one phone in the house and everyone shared it.
But google voice I can use the box or my laptop to answer, it takes voice messages, and text messages.
All in all a GREAT service.
They said that they will give me the ipad till I got a functioning Android/ios phone on my own cost. Why would I do that? Anything in company property needs to be signed off to them. There is only one app on there: Okta
Uber/Ebay/WhatsApp don't want you behaving badly, getting kicked or low ratings and then just binning that login and starting over. Phone numbers (and banning prepaid or temp numbers) are the best way to make that hard and to link one actual human to one account.
I'd like to see some alternatives, but so far this is the easiest way to make sign up rapid/easy while still making sock-puppetry hard.
However since this is non-trivial to implement as it requires indirection wherever authentication is performed or identity is asserted, requiring fundamental architectural change for most platforms, the engineering cost vs marketing benefit applies.
So the priority level “MUST” is questionable since almost no one has this problem. It is more likely that the solution will be an ever increasing number of cell companies will have agreements for international roaming.
Furthermore, almost no service in India uses passwords, everyone uses OTPs. And initially people were not aware and there were lots of social engineering fraud, but now everyone knows not to share OTPs with others, and frankly this looks like a far more secure method than the password based auth systems prevalent in the western world.
Further there's an even bigger incentive in places like India - easy control of spam. I am not aware of any easy method to procure phone numbers here without linking it to your identity, so it becomes much harder for spam account creation. You could call this draconian but I don't see any problem with this behavior from the company's perspective.
There's no reason to require phone or email; let the user choose their preference.
This is not speculative. I've literally had to help relatives with this exact security breach.
Using phone numbers for 2FA is insecure for that very reason. You are entrusting all your personal security with the phone company. Using a OTP by phone number as your only authentication factor is much less secure than a password + 2FA.
An authenticator app, such as Authy, faces none of those security issues.
This is NOT true. I used to live in part of Cornwall (South East UK) which has no mobile tower coverage.
So, no mobile phone #. That became an extraordinary PITA once some idiotic major companies decided the "everyone has a mobile" meme was true.
Mandatory 2FA using mobile number only text messages -> worst idea ever. :( :( :(
Chase bank in the US decided to break this recently. Like you, geography means I don’t have a mobile in many scenarios.
Edit: There are no international data and texting roaming charges. Cell based calls can be about $.20 per minute, but wifi calling is free.
I've also started experiencing issues with a certain bank no longer accepting it for SMS. Luckily they offered an RSA fob.
I get a minor anxiety spike every time I log into an infrequently used services with SMS based 2fa.
So it's still not that much of a problem.
Meh.
As someone who uses the same gmail address since 2004 I thought that's what everyone does. Then I've started selling software and to avoid collecting personal data I've decided to link licenses to email addresses. Having sold 10k+ commercial licenses I get to deal with email address related problems about once a day (email address expired, blocked, access was lost, the provider doesn't allow using it from current location, the company closed, the university doesn't let you use it anymore etc.).
Fortunately security doesn't really matter that much to us. Worst that can happen is someone gets to use additional license. We don't collect any personal information so there is nothing to leak. If that wasn't the case though and we had any kind of personal information linked to licenses I would really like to avoid using email addresses for anything. The simple: "Hey, my name is X Y, I lost access to abc@test.com address, can you please let me use another address" becomes a security nightmare.
It's one of the things you learn once you start doing something on a bigger scale. Some other things which I've learnt actually happen but never happened to me: SSDs fail, RAM fails quite often, a lot of stuff fails with some Windows settings that won't ever fail on 10 computers you test it on etc. etc.