Holy crap - I guess the days of just going online and making an account are over.
I hope it's not the case (and I am enjoying my alternate, non-google emails) - but it seems that "so goes Google, so goes the web" has happened often enough that I worry
It's awfully hard to establish any kind of online presence without a mobile phone number these days. Google used to have the option to get a confirmation code by voice if you couldn't receive texts, but they discontinued it, and nobody will accept a Google Voice (or most VOIP really) number as valid.
If you ever want to get a feel for how truly not-free the Internet is, try browsing through a VPN for a few days. Lots of stuff doesn't load, period. And you'll get constant "we've detected suspicious behavior from your IP" warnings, followed by endless capchas.
iCloud Private Relay tends to work better than your average VPN, I suspect because it has a big enough non-technical userbase that just blocking it would lose customers
> and nobody will accept a Google Voice (or most VOIP really) number as valid.
Apple will accept a Google Voice number as a trusted phone number on your iCloud account, and it even works with their SMS 2FA, in the few places where they still support that.
VOIP has been ruined by the crooks (including the crooked extended warranty people who spam my phone from a different fake number almost every day); it was broken as designed.
The root of the problem seems to be that the POTS seems to demand a ridiculous level of trust of all participants, which does not scale beyond a handful of incumbent market participants.
I like being able to take my phone calls wherever I am, with or without cell signal. Don't blame the technology; blame the broken network.
> If you ever want to get a feel for how truly not-free the Internet is, try browsing through a VPN for a few days. Lots of stuff doesn't load, period. And you'll get constant "we've detected suspicious behavior from your IP" warnings, followed by endless capchas.
Their solution is to ruin someone else's access, too. I guess this is an important security alert: don't let people borrow your number to create a Google account.
Makes sense, but 1) Google still has a HUGE spam account problem and 2) this is going to hurt a whole lot of innocent people.
Phone number as unique person identifier is hugely problematic for a lot of reasons. I wonder how many accounts you could hack just by constantly acquiring new numbers in area codes where the supply is small and then trying to reset various things by phone number.
That's my impression too. This is a developer's forum. Readers here should have better undertanding than normal population that why this feature has been implemented. I am very surprised to see all these very negative and hostile comments. Instead a better discussion should be what's a better way to handle tricky situations like this, if there's any.
I'd also like to add that Google has atrocious customer service. In fact, the help forums are often just volunteers who don't even have the power to relay information to an actual support engineer. I recall seeing a few submissions here on HN about paying customers of Google's services getting banned or flagged by some algorithm by accident and then having no way whatsoever to actually get the situation straightened out. They even contacted Sales and those employees had no way of sending a ticket to anyone inside google capable of helping them.
So I sense some of the anger is due to google's reputation in this regard.
This is just a sad consequence of some merchants creating accounts in the thousands/hundreds of thousands and selling them to SEO/Marketing blackhats to use.
Google should simply have paid, in-person support for these issues. Cuts off the spam merchants, while still letting Joe Average create an account with their usual phone number once they've been verified as an actual person. That's got to have some value, even to Google themselves.
I don't think that would go over well. When Google asked people to share a national ID or credit card in the EU (age verification is legally required to be compliant with the new "think of the children" regulations in the EU's Audiovisual Media Services Directive), people online freaked out.
Another reason why phone number login is a ridiculous idea. Now this user is locked out and has to contact the CEO of Google for support. (Since there is no Google customer support)
We haven't even gotten to talk about SIM swapping and SS7 attacks yet. [0] Complete hell-hole of account takeovers.
A security key wouldn’t prevent spam since you can buy multiple. It would increase the cost of spamming, but it’s unclear of the relatively affordable price of security keys would love the needle enough vs attrition from legit users
You can buy more phones too, though presumably the phone companies don't sell bulk phone numbers for short term use and make it prohibitively expensive and time consuming to do so. Basically seems like it works by outsourcing those spam combating efforts to the local phone companies.
https://github.com/MattGorko/libu2f-emu can spin up virtual U2F tokens which are indistinguishable (in my experience) from real ones plugged into a USB port
Google is piggybacking cost-free on the ID verification efforts of phone carriers, so for whatever it's worth, this is a free solution — from Google's standpoint.
From a user standpoint, I know of no service that will perform ID verification for 'free' and certify that verification onto a third-party verification request. (Credit card verification, or mail-you-a-postcard verification, doesn't count, as there's no ID check.)
I believe this ends up having to be a government service, where the post office is obliged to certify third-party verification requests presented to it (for private parties, corporations, and/or government divisions), and this service is offered for free at personal-use volumes and for one postage stamp per request at for-profit volumes.
It's still possible a B-corp or non-profit could decide to offer this as a public service, but that would take a billion-dollar endowment and would duplicate the USPS frameworks already in place to check IDs and verify mailing addresses for Informed Delivery at every post office in the country, so I wouldn't bet on anyone taking on that cost without payment.
Yes, but my thought with (2) is you can use someone else's telephone number without their permission or knowledge until it is permanently blocked as a method of verification and authentication.
See, you've gone and ruined Jenny's chance of legitimately getting any online presence. Hopefully, she never forgets her password and needs to verify her identity.
I don't know why Google thinks it's okay to have volunteers with official looking titles (like Diamond Product Expert) giving support when there's no validation that what they're saying is correct. There are thousands of votes on this question; it should merit an actual response at some point.
Agree. To go further, I find these "community-powered" support forums infuriating to read, when they are run by a huge company that should be remunerating support staff.
Why anyone would volunteer to answer queries for free in this context is beyond me. What do they get out of it? A flashy hat to wear and a few trivial perks?
Respect to those trying to help out, but when a question like this is posed in the forum, I would only be interested in hearing the response of a salaried Google employee, not a volunteer.
It's even worse when the response offers trite, generic information that doesn't relate to the problem, regrettably a common occurrence on this type of forum.
Edit: Note, these remarks are not applicable to the commendable people providing support in FOSS projects, and in other non-commercial contexts.
I mean in the context of users providing support for commercial products without being paid for it.
Stack Overflow is a general Q&A site, not a support forum for a commercial product. The context is very different. Also, while I'm at it, it has its own flaws, but people providing trite and useless answers isn't one, they get downvoted to oblivion.
>It's even worse when the response offers trite, generic information that doesn't relate to the problem, regrettably a common occurrence on this type of forum.
Anecdotal, but I've seen figures like "number 263 in line for representative, estimated wait time 8 hours" in the weeks after I got my lemon Pixel 6 and had to get it RMA'd. Even after I got through to a human, it took tons of effort to escalate away from the song-and-dance "troubleshooting support" to a person who actually had the ability to get a replacement mailed out.
Contrast with Apple, where I've gotten knowledgeable humans on the line within a minute or two, and scheduled a service appointment at a nearby store.
If Google wants its Pixels to be the iPhone of the Android world, then they should provide more than the bottom-of-the-barrel outsourced support they currently offer.
I literally smashed my Pixel XL with a beer bottle (it tipped into the phone, there's no way a phone can survive that), swapped my sim to my old phone and called their 1-800. Was on the phone with support within 15m, they overnighted me a new one (under the protection plan) without me having to send in the old one, and then the new one had an issue with the proximity sensor, so I used the on-phone support to have them call me instead of waiting on hold. Explained the situation and they overnighted a third one which worked great without needing to return anything. I then sent the other two back. It was very good support actually given the circumstances, and I used that phone for two or three years before getting the Pixel 3XL. After having the 3XL for a little less than two years, I randomly took off the case to show off how nice the phone was without one (it was the white model), and realized the battery was swelling a slight but noticeable amount. It was a day or two before the protection plan expired, I called them via the builtin support functionality, again in a few minutes to check if the claim would be honored, hopped off that call after investing about 15-30m of my time, did a pretty easy claim process (another 5-10m) and had a new phone delivered in about 3 days. Swapped my SIM in, transferred all of my stuff, and shipped the old one. It was seamless and easy.
In general, Google's support is mostly nonexistent. There are harrowing stories of Pixel support, but I have not had them, so ehh.
On the other hand, I have had humorous kerfuffles with Dell in trying to stop them from sending me a replacement unit that turned out to be unnecessary (even though the support rep had issued a replacement ahead of arrival due to a report of damage by UPS). They said we'll ship you one, just let us know if the one that arrives is not damaged and we'll cancel it. Despite me doing that in triplicate they still sent it to me. And then after I spent a bunch more time getting support to understand this, I was able to ship it back via FedEx, and about a month later I got a notice that I never did... Again, was able to remedy this with a chat with support and sending over some proof, but it left much to be desired.
By the same token I don't know why jp88 thinks it's okay to spend their time volunteering on behalf of Google. Is there some angle that I don't see or is there a subculture of people who enjoy providing free services to huge highly-profitable companies?
I had this problem when I was still using gmail. These days I have my own domain and pay for my email services, so I can create aliases without creating accounts. But when I was using gmail I had a few accounts for different things, and at around 5 I couldn’t create more.
Which is perfectly reasonable to be fair. I fixed it by deleting some of the accounts.
If the authors problem is similar that would probably be the easy solution. If it’s because the author has “inherited” a phone number that has previously been used by other people to create Google accounts then I think the author is going to depend on this HN post catching enough traffic for real people at Google to care. Because I sure didn’t find any help through their support system back then, and simply fixed the issue as a “happy accident”.
I managed to successfully register a Twitter account without having to verify myself with a phone number. Not sure how I managed to do that, but I have a number ready to provide them if they randomly decide to ask for it.
You can get away with using the same number for about five accounts (at least this was my experience).
In the USA, the cheapest option I've found is Tello (T-Mobile MVNO) - $5-6/mo for the absolute basic tier, real SIM with a real (non VOIP) number. Accepts number port-in after initial activation.
Red Pocket has their cheapest plan at $30/year ($2.50/month) on T-Mobile. 200 min, 1000 txt, 200 MB per month. Real SIM card. Available only on eBay. No affliation, just a satisfied customer.
What's more fun is that companies have bad databases and won't fix them. I have a Google Voice number that I ported to a physical device, and Discord won't let me use it as a 2FA backup number. The mistake they made is two-fold: 2FA is for me, so if the text message goes through, then it doesn't matter if it's VoIP. But they tied the system into their "you must have a verified phone to use this server", which has to reject VoIP for abuse reasons. (It's a bad abuse management mechanism of course, but having implemented similar blunt instruments myself, I get where they're coming from. There's a problem, how do you fix it in a day? Blanket out-of-date denylists.) Compounding the issue is that their database is simply incorrect. My number is a physical phone.
(Oh, and of course you can port your physical-at-the-time-of-registration phone number to VoIP, which I may or may not have done, and they don't go back in and check against the database. TOCTOU, a classic security vulnerability since approximately 1970.)
It grinds my gears because I have been a Nitro subscriber since it first became available, and they won't bend one millimeter for one of their first paying customers. I am looking forward to their death by greed.
The opposite is also true. I have a Google Voice number that originally came from a cell phone, so many sites that otherwise block VoIP numbers let me use it.
Really the only place that gives me issues is Chase Bank.
I was using a number with Uber Eats and one day they decided they didn't like my provider any more. Needless to say their service wasn't worth trying to figure out why they have a problem. I swear it feels like some sort of conspiracy to make sure major telcos get paid.
I remember hacking together a Twilio API script for registering multiple Google accounts (since they do phone verification for each account so I needed a pool of numbers I could register with). I managed to get about 20 accounts registered before they caught on, and banned each account. And there was a twist: my main Google account got caught up in the ban (which I tried really hard to keep insulated from the en-mass account registrations). But they somehow figured out it was me (even after using several proxies/VPNs).
But luckily I could appeal the ban of my main (personal) account and the copy read something like:
We want you to keep communicating with Gmail, so you can appeal to get your account reinstated here using this form.
Turns out Google is human after-all, and I learned my lesson.
For those wondering why I wanted so many Google accounts; well at the time Google+ was happening and I wanted to promote a bunch of SaaS products and side hustles. In truth, I wanted to spam G+ with links. But the takeaway from this is: Google does let you appeal and has your best interests at heart, despite any rogue/malicious intent.
Note that some countries have prepaid SIMs that are regularly reassigned to new SIMs...as soon as 6 months after the last "refill" of the card.
This happened to a customer where their IT sysadmin got a prepaid phone and registered this as a recovery number in a critical system (read as: full control over infrastructure).
And yes, the company forgot to refill the SIM card only to realize a year later that some script kiddie got the phone number by accident and was curious enough to lookup where the number was being used. DNS entries and ASN entries were enough OSINT to form an attack strategy.
What you gonna do then? As it turns out, this was a shitstorm of problems to deal with through hours (probably days) of support hotline calls.
Remember folks: 2FA via SMS is useless. Avoid phone numbers like the plague, everywhere.
Many providers don't give you a choice. Many major banks default to using SMS for 2FA. I'm sure if they get breached the government will bail them out so why should they change?
Me too, but some banks/payment services don't allow that – ostensibly for security reasons...
Even when I did get a "real phone number" (that concept irritates me to no end), one of these first required me to send a phone bill as a "proof of me owning that number" before they would let me set it for 2FA.
I guess that's just what happens when blending/confusing the three distinct concerns of spam/fraud protection, 2FA, and user identification (for inbound P2P payments) into a single identifier.
Couldn't agree more. It's baffling that we seem to be slowly moving away from email addresses as primary account identifiers, and less slowly from using them as the default 2FA reset channel.
- I can own my email address; I cannot meaningfully own a phone number.
- Email is international. Phone numbers aren't. (Edit: Often, not all countries/dial codes are accepted by sign-up forms, and it's usually not feasible to keep a phone number when moving internationally.)
- Email works with or without a cell signal/via mobile data.
- Many email providers offer 2FA, and domain name port-out prevention seems relatively robust these days. SIM swaps and port-out attacks still seem way too easy to pull off.
Since you can have unlimited amounts of email addresses for free, they are not the ideal identifier for products for which there are “free up to a certain point” aspects or “we’d like to make sure we’re dealing with an individual person” aspects? Though surely in the latter case something better than an email OR phone number is possible.
They are a pretty decent identifier for users. Facebook demanded my phone number for "security" purposes then turned around and used it as a unique identifier to tie me to purchase records from various businesses (e.g. Ticketmaster - why am I not surprised?) that apparently have shady tracking/advertising deals with Facebook.
This sort of information misuse and tracking (not to mention spam) is precisely what "sign in with Apple" was supposed to fix in terms of e-mail addresses, but it's currently instantly neutralized by SMS "verification" since it's a huge pain to get a different phone number just to prevent Facebook from using it as a tracking identifier.
(I guess this reminds me why I have said "no" to multiple inquiries from Facebook. The thought of being told to implement a dark pattern as part of your job is extremely unpleasant. Facebook's confusing anti-privacy settings are another example.)
And it's not just Facebook. This is seeping into other completely unexpected applications; for example I bought a game controller whose driver software setup demanded a mobile number for "verification" purposes. No, just no.
Being able to send an SMS to a US phone number does not guarantee the ability to send an SMS to, eg, a Chinese phone number. SMS isn't even widely used in a lot of locales outside North America. Email works the same everywhere.
Email is not delivered reliably either. There are many blockers. Either you are not allowed to enter a perfectly working address. They might use some list of domains they think they are bad (happens to me increasingly). The programmer might have hand-crafted their own regexp for "valid" email addresses. The email provider might not accept certain incoming mails. I am on several lists that say, sorry our emails are not deliverd on hotmail, yahoo, whatever. Harmless hobby stuff, nothing spammy or illegal.
The terms of domain "rental agreements" are much more standardized and user-friendly than those applying to phone numbers in the PSTN though, in my experience.
Zoho is even worse. They require that a phone number is used exactly once. Which is a bummer if you want to have non-personal emails, like "support@example.com".
> Some people do not own phones, or do not wish to provide you with their telephone number when asked. Do not require a user to provide a phone number unless it is essential, and whenever possible try to provide a fallback to accommodate these users.
The fact that VoIP numbers are declined by so many services just reveals what phone numbers are really used for, these days: Spam account creation prevention.
If this was about security, SMS-2FA would be laughed out the door.
> What exactly is the point of phone verification of the official answer is “lie to us about your identity”?
Phone number is not about identity, but about reducing spam (they're also not at all tied to your identity, at least not unless you buy data from service providers). The point is that you need something that is very easy for your normal user to do, but very hard for bots - effectively, it's just a glorified captcha.
I can accept that, but at least captchas offer an alternative, like listening to audio. With the phone number, if they've decided my number is VoIP, then I have no recourse except to borrow or steal someone's phone. It's a terrible system and they probably have no metrics on how many legit customers they are losing because of it.
Why do you think they wouldn't have metrics on it? When doing anti-abuse policies like that, you'd definitely first figure out the number of FPs during the analysis stage, and then verify it again when actually rolling out the policy.
How do you tell the difference between bot users and legit users who just give up? Especially if you do it during a high growth period, it could easily be masked by the growth.
There's tons of ways. What they have in common is that you don't wait for a user to fail the SMS challenge, and then try to figure out if it was a true or false positive. You work with differential behavior between populations of users.
Often you're not applying these policies to everyone, but only to small sub-populations with a high density of abuse. E.g. if 1% of your accounts are created via VPNs + VOIP numbers, and 99% of those accounts are deemed to be abusive post facto, and you restrict VOIP numbers for just signups for VPNs, the absolute maximum reduction in legit signups is 0.01%. You don't even need to know how many of the legit users would find another way to create the account; you already have an upper bound that's within the guardrails.
Or you can look at what actually happens after you roll out the policy. If it really is watertight, abusers will move away quickly, and all you're left with are the legit users. If that number is low enough, you might even keep the rules in place indefinitely even though all the traffic that is remaining is expected to be FPs.
If those approaches sound dodgy, the default option is to run an A/B experiment. Ban VOIP numbers for the experiment group and allow them for the control group. Then simply look the number of newly created abusive accounts vs. accounts with legit interactions in the two groups.
(A lot of requires you to have a way of distinguishing between abusive and legit users post facto, but if you don't, it's too early to add this kind of restriction in the first place.)
I get how this probably reduces spam a little, but it's another one of those things like capchas that can be a massive impediment for legitimate users, but barely a speedbump for actual spammers.
It's all about sybil attack prevention. They want to limit high rate algorithmic generation of accounts, so they need some verifiable ID that cannot itself be generated at a high rate. They're not using it to verify your identity - they're just making sure you can't generate a lot of accounts.
I wouldn’t call it very practical. Not everyone has access to someone else’s phone, much less someone who trusts them when they say “can I borrow your phone for a few minutes to send some verification codes”.
156 comments
[ 0.23 ms ] story [ 247 ms ] threadI hope it's not the case (and I am enjoying my alternate, non-google emails) - but it seems that "so goes Google, so goes the web" has happened often enough that I worry
If you ever want to get a feel for how truly not-free the Internet is, try browsing through a VPN for a few days. Lots of stuff doesn't load, period. And you'll get constant "we've detected suspicious behavior from your IP" warnings, followed by endless capchas.
Apple will accept a Google Voice number as a trusted phone number on your iCloud account, and it even works with their SMS 2FA, in the few places where they still support that.
The root of the problem seems to be that the POTS seems to demand a ridiculous level of trust of all participants, which does not scale beyond a handful of incumbent market participants.
I like being able to take my phone calls wherever I am, with or without cell signal. Don't blame the technology; blame the broken network.
I have never had this problem with PIA.
Phone number as unique person identifier is hugely problematic for a lot of reasons. I wonder how many accounts you could hack just by constantly acquiring new numbers in area codes where the supply is small and then trying to reset various things by phone number.
> if there's any.
Have support.
So I sense some of the anger is due to google's reputation in this regard.
so, how?
(disclaimer, work for Google but not on this)
Another reason why phone number login is a ridiculous idea. Now this user is locked out and has to contact the CEO of Google for support. (Since there is no Google customer support)
We haven't even gotten to talk about SIM swapping and SS7 attacks yet. [0] Complete hell-hole of account takeovers.
[0] https://news.ycombinator.com/item?id=27447206
From a user standpoint, I know of no service that will perform ID verification for 'free' and certify that verification onto a third-party verification request. (Credit card verification, or mail-you-a-postcard verification, doesn't count, as there's no ID check.)
I believe this ends up having to be a government service, where the post office is obliged to certify third-party verification requests presented to it (for private parties, corporations, and/or government divisions), and this service is offered for free at personal-use volumes and for one postage stamp per request at for-profit volumes.
It's still possible a B-corp or non-profit could decide to offer this as a public service, but that would take a billion-dollar endowment and would duplicate the USPS frameworks already in place to check IDs and verify mailing addresses for Informed Delivery at every post office in the country, so I wouldn't bet on anyone taking on that cost without payment.
Not your domain not your mail.
There are two scenarios:
1. The expected use-case: Create account(s), assign number for verification, verify, account active, number remains assigned to account(s)
2. The unexpected: Attempt to create account(s), assign number for verification, ignore or fail verification, no account created
If the attempted use of the number in (2) is counted and remembered then there's an anonymous potential DOS against any number
Why anyone would volunteer to answer queries for free in this context is beyond me. What do they get out of it? A flashy hat to wear and a few trivial perks?
Respect to those trying to help out, but when a question like this is posed in the forum, I would only be interested in hearing the response of a salaried Google employee, not a volunteer.
It's even worse when the response offers trite, generic information that doesn't relate to the problem, regrettably a common occurrence on this type of forum.
Edit: Note, these remarks are not applicable to the commendable people providing support in FOSS projects, and in other non-commercial contexts.
Stack Overflow is a general Q&A site, not a support forum for a commercial product. The context is very different. Also, while I'm at it, it has its own flaws, but people providing trite and useless answers isn't one, they get downvoted to oblivion.
Even worse worse when the response is actively hostile. Previously discussed: <https://news.ycombinator.com/item?id=28216896>
Google, as a company, has still not figured out customer support. It is evident in their Google Suite products, GCP and Pixel phones.
Contrast with Apple, where I've gotten knowledgeable humans on the line within a minute or two, and scheduled a service appointment at a nearby store.
If Google wants its Pixels to be the iPhone of the Android world, then they should provide more than the bottom-of-the-barrel outsourced support they currently offer.
In general, Google's support is mostly nonexistent. There are harrowing stories of Pixel support, but I have not had them, so ehh.
On the other hand, I have had humorous kerfuffles with Dell in trying to stop them from sending me a replacement unit that turned out to be unnecessary (even though the support rep had issued a replacement ahead of arrival due to a report of damage by UPS). They said we'll ship you one, just let us know if the one that arrives is not damaged and we'll cancel it. Despite me doing that in triplicate they still sent it to me. And then after I spent a bunch more time getting support to understand this, I was able to ship it back via FedEx, and about a month later I got a notice that I never did... Again, was able to remedy this with a chat with support and sending over some proof, but it left much to be desired.
https://twitter.com/QuinnyPig/status/1173368432609226752
Which is perfectly reasonable to be fair. I fixed it by deleting some of the accounts.
If the authors problem is similar that would probably be the easy solution. If it’s because the author has “inherited” a phone number that has previously been used by other people to create Google accounts then I think the author is going to depend on this HN post catching enough traffic for real people at Google to care. Because I sure didn’t find any help through their support system back then, and simply fixed the issue as a “happy accident”.
I'm not sure how you get a number from Ma Bell anymore, and I'm not going to do it for Twitter.
FAANG isn't quite as bad as WeChat, but it's getting there.
You can get away with using the same number for about five accounts (at least this was my experience).
(Oh, and of course you can port your physical-at-the-time-of-registration phone number to VoIP, which I may or may not have done, and they don't go back in and check against the database. TOCTOU, a classic security vulnerability since approximately 1970.)
It grinds my gears because I have been a Nitro subscriber since it first became available, and they won't bend one millimeter for one of their first paying customers. I am looking forward to their death by greed.
Really the only place that gives me issues is Chase Bank.
The rep was able to white-list my number.
Or Apple FaceTime Attestation?
But luckily I could appeal the ban of my main (personal) account and the copy read something like:
Turns out Google is human after-all, and I learned my lesson.For those wondering why I wanted so many Google accounts; well at the time Google+ was happening and I wanted to promote a bunch of SaaS products and side hustles. In truth, I wanted to spam G+ with links. But the takeaway from this is: Google does let you appeal and has your best interests at heart, despite any rogue/malicious intent.
It's pretty much what you might expect from a company that makes its money B2B rather than through pleasing consumers.
This happened to a customer where their IT sysadmin got a prepaid phone and registered this as a recovery number in a critical system (read as: full control over infrastructure).
And yes, the company forgot to refill the SIM card only to realize a year later that some script kiddie got the phone number by accident and was curious enough to lookup where the number was being used. DNS entries and ASN entries were enough OSINT to form an attack strategy.
What you gonna do then? As it turns out, this was a shitstorm of problems to deal with through hours (probably days) of support hotline calls.
Remember folks: 2FA via SMS is useless. Avoid phone numbers like the plague, everywhere.
I use a GV number for 2FA over SMS as the last mile solution.
Even when I did get a "real phone number" (that concept irritates me to no end), one of these first required me to send a phone bill as a "proof of me owning that number" before they would let me set it for 2FA.
I guess that's just what happens when blending/confusing the three distinct concerns of spam/fraud protection, 2FA, and user identification (for inbound P2P payments) into a single identifier.
- I can own my email address; I cannot meaningfully own a phone number.
- Email is international. Phone numbers aren't. (Edit: Often, not all countries/dial codes are accepted by sign-up forms, and it's usually not feasible to keep a phone number when moving internationally.)
- Email works with or without a cell signal/via mobile data.
- Many email providers offer 2FA, and domain name port-out prevention seems relatively robust these days. SIM swaps and port-out attacks still seem way too easy to pull off.
Just don‘t also tangle it to my user ID and/or 2FA recovery.
They are a pretty decent identifier for users. Facebook demanded my phone number for "security" purposes then turned around and used it as a unique identifier to tie me to purchase records from various businesses (e.g. Ticketmaster - why am I not surprised?) that apparently have shady tracking/advertising deals with Facebook.
This sort of information misuse and tracking (not to mention spam) is precisely what "sign in with Apple" was supposed to fix in terms of e-mail addresses, but it's currently instantly neutralized by SMS "verification" since it's a huge pain to get a different phone number just to prevent Facebook from using it as a tracking identifier.
(I guess this reminds me why I have said "no" to multiple inquiries from Facebook. The thought of being told to implement a dark pattern as part of your job is extremely unpleasant. Facebook's confusing anti-privacy settings are another example.)
And it's not just Facebook. This is seeping into other completely unexpected applications; for example I bought a game controller whose driver software setup demanded a mobile number for "verification" purposes. No, just no.
I agree with the gist of your email, but what is this supposed to mean exactly? The whole world shares a single phone (number) system, right?
> An individual has a phone number
> Some people do not own phones, or do not wish to provide you with their telephone number when asked. Do not require a user to provide a phone number unless it is essential, and whenever possible try to provide a fallback to accommodate these users.
Source: https://github.com/google/libphonenumber/blob/master/FALSEHO...
What exactly is the point of phone verification of the official answer is “lie to us about your identity”?
If this was about security, SMS-2FA would be laughed out the door.
Phone number is not about identity, but about reducing spam (they're also not at all tied to your identity, at least not unless you buy data from service providers). The point is that you need something that is very easy for your normal user to do, but very hard for bots - effectively, it's just a glorified captcha.
Often you're not applying these policies to everyone, but only to small sub-populations with a high density of abuse. E.g. if 1% of your accounts are created via VPNs + VOIP numbers, and 99% of those accounts are deemed to be abusive post facto, and you restrict VOIP numbers for just signups for VPNs, the absolute maximum reduction in legit signups is 0.01%. You don't even need to know how many of the legit users would find another way to create the account; you already have an upper bound that's within the guardrails.
Or you can look at what actually happens after you roll out the policy. If it really is watertight, abusers will move away quickly, and all you're left with are the legit users. If that number is low enough, you might even keep the rules in place indefinitely even though all the traffic that is remaining is expected to be FPs.
If those approaches sound dodgy, the default option is to run an A/B experiment. Ban VOIP numbers for the experiment group and allow them for the control group. Then simply look the number of newly created abusive accounts vs. accounts with legit interactions in the two groups.
(A lot of requires you to have a way of distinguishing between abusive and legit users post facto, but if you don't, it's too early to add this kind of restriction in the first place.)