68 comments

[ 2.7 ms ] story [ 110 ms ] thread
A phone one is nursing homes.

When selling medical insurance, you may discover that 10-40 people all have the same phone number.

Extra attention is needed to ensure your not spamming them.

> Extra attention is needed to ensure your not spamming them.

And simply the fact that a phone number can belong to multiple people and thus should not be used as a canonical user ID. Your system should consider phone numbers purely as a contact/second factor method and should allow multiple accounts to share the same number.

In Egypt, it is common for phone numbers to be written in native digits.

Huh.

Many languages have different symbols for the digits (1, 2, 3, ...).
In this case it may be unexpected because [0-9] are called "Arabic numerals" after all. But Western Arabic and Eastern Arabic numerals have diverged even though they share the same ancestry.
About #7 (Each country calling code corresponds to exactly one country) and Russia, Kazakhstan. While it's true that +7 corresponds both to Russia and Kazakhstan, following 3 digits uniquely identify a particular country (e.g. +7 701, +7 702, +7 777 are Kazakhstan, +7 499 is Russia). So for this case you can distinguish between those countries, you just have to use a big database of longer prefixes. If this is important for software, of course. Maintaining that kind of database might be hard.
I've been involved in trying to create services and authentication for two web applications with the help of SMS API services from several of the largest international providers of such services. It has been amazing to see how large portion of the authentications SMSs and other messages do not reach the receiver at all. Some numbers don't seem to be reachable at all and some numbers can be reached most of the time, even though the numbers are totally valid mobile phone numbers. At least in Finland this is the case when using the international SMS API service providers.
This is particularly sad from the perspective of PWAs because in many cases SMSs could act as an easy replacement when push notifications are needed.
From their page: An individual has a phone number

Some people do not own phones, or do not wish to provide you with their telephone number when asked. Do not require a user to provide a phone number unless it is essential, and whenever possible try to provide a fallback to accommodate these users.

How does that apply to gmail? Nowadays you can't register a gmail address if you don't provide a phone number.

Well, it's not like it's illegal to require a phone number. Google has simply decided that a phone number is a requirement due to security considerations.
Security has nothing to do with why they want your phone number. Your account is far less secure if it can be stolen with a sim card than if there's no 2fa at all.
Um, Google’s ulterior motives aside, how is it less secure to require a physical artifact in order to authenticate? SMS may not be the most secure channel ever, and SIM swap scamming is a thing, but seems to me that breaking even SMS-based 2FA requires quite a lot of effort per victim.
If I want your account and you have SMS based password reset I can do some social engineering and get in in a couple hours (if multiple tries required).

If I want your account and there is no SMS password reset I'm done unless I have previously compromised your backup email.

But SMS reset here stands opposed to other, less secure reset mechanisms, because more people have a phone number than a backup email account (especially that they can reliably access).
Authenticator apps require a physical device, but not a phone number. That's what I mean: They don't need your phone number for any reason, and any 2FA based on the number is insecure.
> it's not like it's illegal to require a phone number

I'd be very careful asserting this is universally true. Maybe to be filed under "falsehoods programmers believe about law".

Fair point. I just meant that the falsehoods list is written from the point of user-friendliness, accessibility and inclusivity, rather than possible legal requirements.
Pretty insane. I've been dodging Google's, PayPal's and Amazon's attempts at getting me to 2fa my old accounts with a phone number on every login for years. And glad I did, after my brother got simjacked and immediately had all his accounts compromised as a result. A private email server is the only secure recovery method these days. Not that it's totally secure. Just a harder target.
Tips on making one?
Buy a domain from a registrar. Then either stand it up at home if your ISP is willing to lease you a static public IP or pay for hosting with a hosting provider. Which email server to use is a conversation all to itself.
And it's pretty ironic that this list comes from Google itself... well, or at least from someone that in 2016 was at Google.
It's possible to sign up without, probably depends on some analysis on your IP and environment. Sometimes I get a good IP and manage to sign up for 2-3 accounts before it demands a number. However, those accounts are more likely to get locked up in the future, requiring a phone number to unlock.
> Sometimes I get a good IP and manage to sign up for 2-3 accounts before it demands a number.

And this is why services like Gmail ask for phone numbers. Can I ask why you make so many Gmail addresses?

I've used to use them as an OAuth provider for a different service. Now it's not worth the effort. They are also needed to use Android hardware with a functional store. Unfortunately those things are tied too much together.

I can't say I blame them for doing that, although I'd appreciate them having different measures against truly mass account creation compared to my very humble manual work.

I wish there was a similar list: Falsehoods Programmers Believe About Human Names.

Billions of people don't follow GivenName SurName format that is common in the Western English culture. Yet most places online believe this to be true.

Shameless plug: I have given a talk about this a couple of times: https://www.youtube.com/watch?v=NfKhY3sAQ9E

But also, such a list does exist! https://www.kalzumeus.com/2010/06/17/falsehoods-programmers-...

I have a - in my name, and while I’m used to websites not accepting this, it’s always interesting which ones give a neutral error like “only letters and numbers allowed” vs an insulting error of “please enter a valid name” when I try to see if their firm will accept my correct name.
That's quite incredible to learn, so many French (or Belgian/French-Canadian) names contain hyphens. I find it amazing that this wouldn't be taken into account worldwide; who hasn't heard of Jean-Claude Van Damme for instance?
It's also very common in the US to hyphenate family names when two people get married. e.g.: John Appleseed-McIntosh
Why does that need to be insulting? It's correct in that context. Only names of a certain format are valid inputs to their system. It's not a personal attack
It's the difference between saying "our system cannot handleyour name" and "your name is wrong". One is a limitation of a program, the other is dehumanizing.
What reasonable evidence do you have to think that "valid" in that context is saying your name is wrong, rather than that the system cannot handle it?
What makes you think I care what the author meant to say? I'm discussing how people read it.
I don't think we should care about people having such unreasonable interpretations. It's fair to expect adults to have enough emotional maturity to differentiate between the limitations of a website interface and a personal, targeted attack.
I don't think it's an unreasonable interpertation. The OP of this chain read it that way. I read it that way.

If there are two phrasings, and one is read correctly by everyone, and the other is read correctly by half the world, it's the first that is correct.

I have a strong hunch that you, OP, and me don't make everyone. I also don't accept your premise about interpreting a phrase. In different times, "everyone" would consider it correct to say things like race X is superior to race Y. Do you now hold that that claim would be correct too?
Another one: Mobile phones always received SMS texts.

This may be untrue because of reception issues (phones out of coverage areas or on their fringes) or because the phone number is associated with a non-phone device (e.g. LTE modem) that is not able to deal with SMS traffic.

This one is particularly galling for me, as I live in a fringe reception area (because topography happens!) but so many corporate devs labour under the illusion that we can all receive texts, and receive them instantly. This can have serious real-world consequences. (Try telling a certain bank's debt-collection department that text messages delivery is unreliable.)

Yes, it's surprising how large amount of the SMSs get lost. At least in Finland this has been the case when using the most popular international SMS API providers. I previously thought also that eventually the messages will be received but have learned otherwise after trying several providers for two different apps. And I have not even found any good explanations for the SMSs getting lost. I think this is sad from the perspective of Progressive Web Applications because often SMSs could act as an easy replacement for push notifications (which are kind of unavailable/unreliable for PWAs).
When you realize that SMS is a hack and not a service that was designed from the ground up to do what it does it isn't all that surprising really.
This is true. However, email is explicitly not a reliable/guaranteed delivery system, so, despite the fact that is is really quite reliable, we keep that in mind when designing systems that make use of that channel of communication. SMS? Not so much. Idiots persist in thinking of it as reliable/guaranteed.
Your point would be more widely listened to if you used the less condemnatory label "The uninformed" instead of "idiots."
A dentist appointment got missed by me because of that.
We also have people using SMS as a 2nd factor for authentication, account recovery mechanisms, unique identifier, advertising medium...
Like many people, I barely send SMS these days. I thought I'd have a look at my texts from the last month, to add to this discussion.

Here's what I see looking in my messages app - the last message in each of the most recent "conversations" :

50% off Pizza

A 2 factor authentication code for a government website

A person responding to a text I'd sent saying I'd phone them back

Another 2 factor code for some app

A conversation I had in a rare moment where I had phone signal but not a data connection

A link to my latest phone bill

A message from my countries national health service saying I could finally get a 2nd dose of vaccine

A text from my bank

Someone I know well enough to have their phone number, but don't talk to enough to have switched over to something else

For a long time (and maybe still) you had to have a phone number to register a .com domain. This was a particular annoyance when I wanted to do this but I didn't have a phone number. It was the days before cell phones were really cheap and I used a public payphone whenever I wanted to call anyone.
How were you connecting to the internet at that time?
Through my university.
18. Phone numbers contain only digits

This one was not obvious, but sure it is possible. DTMF [0] encodes digits 0-9, symbols * and # as well as letters A to D.

[0] https://en.wikipedia.org/wiki/Dual-tone_multi-frequency_sign...

Okay, both * and # do have meanings in certain areas (and still are), but outside of US military (and this is actually already historical, nowadays priority is linked to the specific handset and some lines are always reserved) Priority A (Flash Override (FO), for Presidential use), Priority B (Flash (F), for breaking events), Priority C (Immediate (I), for urgent but non-life and security-threatening events), and Priority D (Priority (P), officers versus ordinary soldiers) are never used because a) due to the possibility of confusion with numbers like 1-800-ALPHABET and b) AT&T have invented Priority signals specifically for US military's use (although standardised now internationally for some reason: https://www.itu.int/rec/T-REC-Q.955.3-199303-I/e).
If we are talking about phone numbers for humans - maybe true. Phone network routing numbers can and do contain A-E.
I mean, for the purposes of `libphonenumber`, PrioA-D is not used.

Also, as far as I know most things are sent out-of-band anyways, but I wouldn't be surprised if there's some legacy system out there which work only on DTMF.

There’s another obvious one that seems to be often ignored - users have phone numbers that aren’t formatted like they are where your company is located (looking at you, Silicon Valley).

I left the USA, and have had huge amounts of trouble with a non-usa phone number. It ranges from unusable web uis to complete lockout (usually around 2fa).

Love libphonenumber. Have taken advantage of it for every company I’ve worked at across half a dozen languages. The APIs are designed such that you need to dig into the subtlety of phone numbers a bit, which is really great.
My gimmick with it was to wrap it in a PowerShell module and then use it to clean up the phone numbers in Active Directory.

It's oddly satisfying seeing a bunch of randomly formatted phone numbers suddenly convert to perfectly aligned, nice clean international standard format numbers.

Um, I didn't believe any single of those.
Clearly you're not a programmer.
> An individual has a phone number

> Some people do not own phones, or do not wish to provide you with their telephone number when asked. Do not require a user to provide a phone number unless it is essential, and whenever possible try to provide a fallback to accommodate these users.

Does anyone know how to create an Apple ID without a phone number?

Someone should send a copy of this to the Microsoft Teams group. If you want to signup with your personal account to Teams you need a unique phone number. Not a unique email, a unique phone number. Someone else registered to Teams with your same number, you can't sign in. Have kids and they need to attend an online class, you can't sign in. Also, their solution is for you to simply get another phone number, hopefully one that isn't being used by a Teams account.
This drives me up the wall. I have tried to conduct business with companies many times, but they require that I have a mobile phone - Looking at you, Stripe, as well as other companies doing the same that I've had problems with.

I do not own a mobile phone, because the f-ck if I am going to give some company my location for my entire life. Thanks, but no. It's just how I roll. I also never been on social media from the start for the same reasons. People called me paranoid back 15 years ago, but now I just laugh when I see people losing jobs and careers from a careless post 20 years ago. Nope, not me, no to social media or mobile phones or any other tracking devices. And no, I will never buy a car with tracking on it. I'll continue to buy older cars before I do that.

So, I have a VIOP, but these companies do not allow using my VOIP. Or a burner phone either.

So now I might have to break down and get one because so many companies are starting to require it, so I might get a Mint Mobile phone as it is $15/month. I'll get mobile phone with a removable battery and when not using it I'll remove the battery and sell as store it in a Faraday bag, in case removing the battery doesn't work, and then on top of all that I will leave the phone in my office and never bring it anywhere or use it ever except for those rare circumstances when I need to verify I'm me. Try tracking me now, bitches.

But it pisses me off that I will have to spend $250 for a phone and a year's worth of air time for nothing. Fluck you, Stripe, and other companies requiring a mobile phone.