Companies must stop requiring people to link their phone numbers

65 points by nabazlbhf1337 ↗ HN
With the growing number of people working remotely from anywhere this presents a major challenge for people who travel frequently. Each country is a new sim card and a new phone number. The only way to get past this is to have one universal phone number. Something like Google Voice. However, some places are now blocking "prepaid" phone numbers. Like, okay. I guess I'm just not allowed to use your app. Stick to emails. People barely ever change their emails.

50 comments

[ 2.8 ms ] story [ 46.9 ms ] thread
While this is a major problem for people in your situation, there are no other reliable ways to identify a person and ensure one account per user.
Why are phone numbers being viewed as the single source of truth? What's to stop someone from having a second phone number?
Friction. Getting a second phone number requires you to actually spend time and money on it. And with services blocking "prepaid" phone numbers (as mentioned above) you need either multiple phones or constantly swapping cards. Most people don't want to go through the hassle.
There is nothing that is absolutely categorically capable of singularly identifying an individual natural person except that person’s physical body and even then biometrics need to be carefully created.

Everything else has a statistical probability of correlating with a natural person. The probability of phone numbers as identification is good enough. In fact it is great.

All or nothing reasoning is incorrect. It is only useful when you need to capture literally every case, which isn’t the problem here.

This seems like a missed opportunity after all these years.

Nobody's tried to go into the business of "verifying individual humans" and succeeded? Seems like that could and should be just a single facet of a very big online ID service.

Basically something like Oauth but for real ID, where you can approve/deny requests for variable amounts of identifying information.

It's not like all that information isn't floating around anyway. CreditKarma certainly knows enough about me to offer such a service.

Lots of companies will verify individual humans, but they're all far too expensive to use free SaaS products.
I think what is needed is a chain of ID verification systems.

At one end would be a service where you verify you identity when signing up to the service by showing up physically and showing them your government issued photo ID. They photograph you and fingerprint you and take your signature and add all that to their records.

Let's call this service a root identity service. Banks would be great candidates for providing root identity services.

You can use this service to create a verified identity with other services. You would generally only do this with the most important other services, such as your email provider and/or if you have your own domain your domain registrar.

The way you would do this is when signing up with your domain registrar, say, you tell them that you want to verify your identity with your root identity provider. There would be a standard protocol for the registrar to query your root identity provider and for you to tell the identity provider that you are indeed trying to prove yourself to the registrar.

Once that is done, the registrar can set up your account as normal with a username and password and whatever 2FA methods they support. But since you have verified your identity with your root provider, the domain registrar would let you set an option to require re-verification with the same root provider if you need to recover your account after forgetting your password or losing your 2FA device, and to prohibit ever changing the root identity associated with the account.

Someone might steal your domain registrar account somehow, but you can always prove you are the owner and get it back as long as you have not lost control of your root identity account. If someone manages to get control of that, you can get that back first by going in person to an office of the root provider with your government ID, and having them in person verify that, and that you match the other ID information they have on file.

Now you can make Google accounts and Facebook accounts and similar. Those accounts you just associate with an email address. If one of those accounts gets compromised, you recover by going through the usual common recovery method that involves proving you control the email address associated with the account.

You can then use things like "sign in with Google" or "sign in with Facebook" for other accounts, confident that if someone hijacks your Facebook or Google account, you will be able to recover that, and so recover the accounts you use Facebook or Google to sign in to. (You still have to worry about Facebook or Google themselves kicking you off of course, but that's not a problem of identity verification so is beyond the scope of this comment).

The idea is you build a chain of identity, with different links in the chain making different choices in the trade off between security and convenience. You decide where you want each thing to be in that chain, but as long each identity chain leads back to a root identity provider you can rebuild the links and recover any lost or stolen accounts.

> With the growing number of people working remotely from anywhere

It's growing, but it's still tiny. Most companies doing this are willing to lose users who don't have permanent phone numbers in order to gain a quick, easy, semi-reliable way to prevent fake account registrations.

> Stick to emails. People barely ever change their emails.

This is factually wrong. People get married, get divorced, change employers, graduate from school, etc. Email addresses change a lot.

Your suggestion also misunderstands (or ignores) the entire point of requiring phone numbers. They're not as easy to register as email addresses, so you're more likely to get a 1:1 relationship between phone numbers and individuals.

I could literally go out right now and activate quadrillions of valid email addresses within 20 min, and all of them would work. I can't do the same with phone numbers.

I can get thousands of valid phone numbers for temporary use in 15 minutes. I’d say they are both about equal.

No one needs quadrillions of anything, thousands is enough to do 99% of tasks.

> I can get thousands of valid phone numbers

How?

Any VOIP DID provider with a provisioning API, like Twilio or Anveo.
I'd argue the infrastructure between phone numbers and e-mails are different enough that filtering for fake phone numbers is easier.

You can look up carrier data on a phone number easily enough, and if you're in the industry you have a general idea of which carriers are the ones that actually follow the rules for registering a number. You filter on the ones that don't.

But the point is, you wouldn’t be able to use any of them if the service wanted to block voip numbers. I went through a few providers because I wanted to see what was going on with Parler but didn’t want to share my real number.

Nothing worked.

> I can get thousands of valid phone numbers for temporary use in 15 minutes.

Not cheaply. Even on cheaper VoIP services, that would cost you $1,000+/month. Not a great price point if you're trying to spam something like a social network or post fake reviews, because each of your accounts is unlikely to generate enough to pay for the number.

Plus, many of the numbers will already be blacklisted because they're VoIP numbers or because they've been used for spam already.

> No one needs quadrillions of anything, thousands is enough to do 99% of tasks.

My point is that there are ~8 billion possible phone numbers in the US, when you account for reserved numbers. Many are already in use, many are blacklisted. Each costs $6-12/year to own through the major VoIP services.

There are essentially infinite email addresses, and each costs ~$0/year.

Which one do you want to use as a point of friction for signing up for your service?

Personal emails DO NOT change a lot. This is dishonest because they change extremely infrequently as a universal contact identifier.

I had an email startup. Emphasis on had. People are very reluctant to switch email providers and email addresses.

What may change more are business, affiliation, and ephemeral email addresses, but most people don't go around changing their personal email addresses like bathroom wallpaper.

Like I said, there are various life stages where your email address changes. A lot of people sign up for things with their employer-provided email address as well.

Phone numbers really only change when someone moves to a different country or absolutely can't port their number, which is rare these days. They change much less frequently than phone numbers change.

Source: API logs from an auto insurance backend that I maintain

And also people on networks that won’t deliver their providers messages. I can’t sign up for Twitter for example.
I am not sure why you do not use Google Voice. I have been using it for 9 years now. I have a OBi202 box attached, so I can use a normal hand set. It is our house phone.

Yeah back in the day, people had one phone in the house and everyone shared it.

But google voice I can use the box or my laptop to answer, it takes voice messages, and text messages.

All in all a GREAT service.

Apparently you didn't read the post. I do use Google Voice but some platforms are now blocking that
I have a GV number, but one problem is that it has been broken, for many people, on Android for over a year. It works only for outgoing calls, failing to ring on incoming calls.
It's available in the U.S only. If it were available here in Germany, I would love to use it, but until that I have to use some burners which is getting harder every day since you are required by law to link your ID to a phone number to activate it (even prepaid).
Just make it up like the rest of the registration details
They have a nasty habit of sending out verification codes
It drives me nuts that 2FA is being expected by companies, and yet they're not providing employees with a phone. If you do want me to use 2FA, provide me with a device I can do it from. I do not use my personal devices for work.
I have been holding the company ipad hostage since the day I joined. I need it for work and either you pay for the device or I keep this ipad till I leave.

They said that they will give me the ipad till I got a functioning Android/ios phone on my own cost. Why would I do that? Anything in company property needs to be signed off to them. There is only one app on there: Okta

I’m the only one at my company who uses a USB key for 2FA. Zero interest in an app on my personal device.
The exception I make is that I use Google Authenticator for my work 2FA (via Okta). I also have a yubikey set up but our VPN application doesn't work with it.
Yeah I have no problem using GA for work stuff, but I’d be interested in reasons against it.
Isn't it purely about ID?

Uber/Ebay/WhatsApp don't want you behaving badly, getting kicked or low ratings and then just binning that login and starting over. Phone numbers (and banning prepaid or temp numbers) are the best way to make that hard and to link one actual human to one account.

I'd like to see some alternatives, but so far this is the easiest way to make sign up rapid/easy while still making sock-puppetry hard.

The better solution is to link verified phone numbers in one account. You would need access to both numbers simultaneously of course.

However since this is non-trivial to implement as it requires indirection wherever authentication is performed or identity is asserted, requiring fundamental architectural change for most platforms, the engineering cost vs marketing benefit applies.

So the priority level “MUST” is questionable since almost no one has this problem. It is more likely that the solution will be an ever increasing number of cell companies will have agreements for international roaming.

Are you from a first world country? It sounds like you're from a first world country! There's a legitimate reason to use phone numbers - email hasn't worked in many third world countries such as India. But everyone understands and has a mobile phone already, and thus it becomes perfectly manageable. This is why whatsapp succeeded, they zeroed in on the phone number (and the OTP instead of an account) as a way to authenticate and identify users. If someone's in your contact list, you instantly can connect with them! The level of integration of whatsapp into every aspect of the average indians life is insane and incomparable to what you might see with email or any tech software idea in a place like the US.

Furthermore, almost no service in India uses passwords, everyone uses OTPs. And initially people were not aware and there were lots of social engineering fraud, but now everyone knows not to share OTPs with others, and frankly this looks like a far more secure method than the password based auth systems prevalent in the western world.

Further there's an even bigger incentive in places like India - easy control of spam. I am not aware of any easy method to procure phone numbers here without linking it to your identity, so it becomes much harder for spam account creation. You could call this draconian but I don't see any problem with this behavior from the company's perspective.

Spam is a behavior, not a person. But kf you want to demand ID, just demand ID!

There's no reason to require phone or email; let the user choose their preference.

OTPs are great, until someone calls up your phone company and social engineers their underpaid support staff into giving them control of your phone number.

This is not speculative. I've literally had to help relatives with this exact security breach.

Using phone numbers for 2FA is insecure for that very reason. You are entrusting all your personal security with the phone company. Using a OTP by phone number as your only authentication factor is much less secure than a password + 2FA.

An authenticator app, such as Authy, faces none of those security issues.

I'm presenting the thesis that this system works in places like India and Brazil. I don't have data on my hand that such number transfer social engineering hacks are possible/prevalant here, do you have any?
"here" is relative. Here's one data, this one from Canada: https://youtu.be/LlcAHkjbARs at 3:48
Seems like it's a problem in countries where companies bend over backwards to appease customers, also including when they shouldn't. In other places the agent will just go you're SOL if you called asking to change ownership.
Very untrue, it's a pretty common way of stealing social media accounts like Twitter and YouTube accounts. Happens all over the place, definitely in places like USA.
> But everyone understands and has a mobile phone already ...

This is NOT true. I used to live in part of Cornwall (South East UK) which has no mobile tower coverage.

So, no mobile phone #. That became an extraordinary PITA once some idiotic major companies decided the "everyone has a mobile" meme was true.

Mandatory 2FA using mobile number only text messages -> worst idea ever. :( :( :(

Mobile coverage is outrageously good in places like India. Except if you go to actual villages. But then if a place doesn't have running water or electricity and you're worried about logging into your bank account, I suppose reorienting priorities might be expected.
It’s even dumber where in the name of security they disable things like Google Voice that allow you to get SMS messages without cellular.

Chase bank in the US decided to break this recently. Like you, geography means I don’t have a mobile in many scenarios.

I believe if in 3rd world country I would be able to sniff on GMS traffic and get OTPs easier than a regular password.
Apparently I have to resurrect an old t-mobile to gain access to my credit karma account. I'm not sure this is even possible. Customer service seems to have a language problem Do I just lose my account in this case? What do people do about this sort of thing?
With companies still requiring phone numbers, Google Fi might be a good option if you have a US address. You keep the same number as you travel worldwide and there are no international roaming charges.

Edit: There are no international data and texting roaming charges. Cell based calls can be about $.20 per minute, but wifi calling is free.

Google voice is a better option, costs wise. You can port numbers in.
I use and like Google Voice, but I do find that some sites won't accept a google voice number for text messages. usually for 2factor. I would like to know what the difference is?
From my understanding Google Voice is still managed more like hacking SMS capabilities onto a "landline" number than being a true mobile operator.

I've also started experiencing issues with a certain bank no longer accepting it for SMS. Luckily they offered an RSA fob.

I get a minor anxiety spike every time I log into an infrequently used services with SMS based 2fa.

Yesterday, discord asked me 'to identify myself using my phone number'. I really wonder how my identity is linked to my phone number. So wrong.
People aren't traveling that much, especially across nations.

So it's still not that much of a problem.

Meh.

>>Stick to emails. People barely ever change their emails.

As someone who uses the same gmail address since 2004 I thought that's what everyone does. Then I've started selling software and to avoid collecting personal data I've decided to link licenses to email addresses. Having sold 10k+ commercial licenses I get to deal with email address related problems about once a day (email address expired, blocked, access was lost, the provider doesn't allow using it from current location, the company closed, the university doesn't let you use it anymore etc.).

Fortunately security doesn't really matter that much to us. Worst that can happen is someone gets to use additional license. We don't collect any personal information so there is nothing to leak. If that wasn't the case though and we had any kind of personal information linked to licenses I would really like to avoid using email addresses for anything. The simple: "Hey, my name is X Y, I lost access to abc@test.com address, can you please let me use another address" becomes a security nightmare.

It's one of the things you learn once you start doing something on a bigger scale. Some other things which I've learnt actually happen but never happened to me: SSDs fail, RAM fails quite often, a lot of stuff fails with some Windows settings that won't ever fail on 10 computers you test it on etc. etc.