I know life can be frustrating when you don't fit the conventional profile. It's been the same for me.
But organisations like banks need to have systems that adequately balance security, usability and ubiquity, and it turns out that phone number authentication is optimal across those criteria.
Of course it's not perfect, but empirically it works better than the alternatives (otherwise they'd already have changed it), so we're stuck with it, no matter how much it might frustrate the likes of you and me.
I'm finally old enough to realise that for certain things, like banking, the world is better off that way, else it would would descend into chaos (even more than it already has), and nobody would be able to get anything done.
And maybe it's only possible for people like us to get away with existing on the fringes thanks to the fact that most people are keeping society going by getting things done, and for that reason it's perhaps justifiable that for things like this it's up to us to find a way to fit in with their ways of doing things.
I shouldnt have mentioned banking, it seems that this is what most people agree with that numbers make sense. And hence i agree to that as well.
One of my banks offers the following 2 alternatives:
* Paper TAN (which most likely will go away in the next years)
* Card reader that scans your EC card
Both completely valid for my situation, my other bank does none of both. Both however are completely valid just not as confidient for the bank i guess.
My whole point is having alternatives, or at least a workflow to fix this issue for people who do not have a fixed phone number (anymore). Its sucks to have way less security as everybody else (because i cant enable 2FA) when email was always there and pretty much just as good. It sucks even more to not be able to create a account because somehow they dont want your current number (I mean how crazy is that that you can not make a Twitter account with one of the most popular Thai providers? How is that not a huge issue?)
But the OP does have a point that you don't own the phone number your countries PTT or Regulator does.
And for google if you have multiple people using the same google accounts which you would do for many google services 2FA can really mess you up eg if I WFH I cant login to some of our GA GTM and GSC accounts.
Do you really believe that? I was just reading someone comment's on Reddit yesterday about him working for a bank that only recently stopped working with credit card number transfers in the clear...
Some if not most of the banks just use ancient technology for the same reason most other big corporations do - they don't really "get" the security "value" so they don't bother to invest hundreds of millions of dollars in new infrastructure.
"A phone number is nothing you can just keep. Also i OWN my emails domains."
I don't get the distinction the author is trying to make: if you stop paying the renewal fees for them you'll find you "own" those domains exactly as much as you "own" a phone number.
Having a phone number and a domain actually have way more similarities than I think this guy wants to say. You don't own your domain, your registrar does and you are leasing it. Sure, generally you go year to year instead of month to month, but in the end you don't own your domain either. And it's way easier for someone to target you.
In the US, you certainly can keep a phone number. You can take it from one telecom service provider to another. But you do indeed have to keep paying your bill to maintain this ability.
This rant is exactly why phone numbers are a good way to do two-factor. The author lost control of their phone number ("as i quit the account shortly...") and subsequently had an extremely hard time authenticating to their bank, Google, Twitter, etc.
Getting a new phone number set up is time consuming, even with a Twilio-like service. This is a good thing. Your IMEI number isn't portable, and until there is a physical token on your phone that is also portable, a phone number is the next best option.
Author here. I dont have a fixed telephone number anymore. How to handle that? I dont see why i would need one except for authentification purposes ether. My point is that depending on people have a phone number, and even more one that is widely supported (which my current numbers are not) is simply wrong.
Sure i could call my bank one a month to change my telephone number, which i loose control of shortly after that (only valid for a few months, prepaid). This is hardly a solution.
On the other side i control my email address, my private key, my home address to a degree, but never my telephone number.
This hits me too because I travel a lot.
Try installing Signal on your phone when your only connection to the world is over WiFi. Try getting an SMS when you're not on a compatible network. You can't. That doesn't mean I don't have my phone with me. The requirement for a contactable phone number instead of an email address or other message is like pretending that your IP address and your hardware MAC address are the same thing, when they're obviously not. One identifies an actual piece of equipment, and the other is literally just bits on the wind.
Somewhat off-topic, but honest question: In the article the author says that he OWNs his email domains. Is this really possible? In my understanding it's more like you rent the domain name from the registrar, and you need to keep renewing it. My question is (please forgive my ignorance in this matter): what prevents the registrar from some day raising the price for your domain to astronomical values? Maybe some well-funded business has suddenly decided that they want your domain name and they have no problem offering thousands of dollars for it. When the domain name is up for renewal, what prevents the registrar from passing it to the highest bidder?
My point rather was is that they can not take it away from me. My specific registrar only allows themself to invalidate domains for a few days when they contain swear words. I am not entirely sure if they can increase the price while i own it. In fact last time they increased the price it did not affect me because i already owned it but only new registered domains. Even the renew was on the old price.
I do not have a mobile phone, and have run into countless issues with so-called security systems which demand a mobile number, everything from airports to online services like Twitter. It's amazing how many services become unavailable when you have no phone number to provide.
I have a mobile phone number, but it's VoIP and can't receive SMS. That excludes me from many types of services that absolutely want to send an SMS.
Extra bonus, I moved out of my country of origin a few years ago. The Visa card I have from a bank in my country of origin needs 2FA to be used to purchase things on the net. The second factor is a code sent by SMS. Even if I had a phone number that can receive a SMS, the bank won't let me change the configured phone number because they can only accept a phone number in my country of origin. IOW, I barely can use that card.
> A phone number is nothing you can just keep. Also i OWN my emails domains. Therefore they are under MY control.
No, no, no.
Just like phone numbers, your domain can be yanked out from under you. In many cases, their are procedures and appeals that can be worked out but realistically, if someone hijacks your DNS, it's over.
To take my domain legally from me there is a complicated procedure involved, its nothing that can just happen from today to tomorrow because a third party wanted it. Which is in fact the case with phone numbers. At least the one i actually read the contract for.
Controlling my DNS is pretty much the same scenario as hacking my phone. Both can happen, both dont have to happen.
Edit:// I checked, taking my Domain from me if data is correct and i pay is close to impossible, costly and takes forever. This is really far from beeing the same as with a phone number
In the UK mobile networks are required to offer number portability[1].
I don't know if that means a mobile network can take your number away, but just like managing the registrar on a domain, you can manage the portability of your number.
You can in most countries as far as i know. But in my example i quit my account (so made it prepaid essentially) and lost the SIM card, which means i lost my account forever. Now it waits for the simcard to invalidate and then will most likely sell the number again. It was a "easy number" (as in people remember that number after telling them once) so i assume it will be resold rather fast.
But just because you can does not mean people want that. Before it became normal to auth everywhere with phone numbers i happily changed my number yearly.
I've got an odd issue with a Google mail account. That has no email or phone number associated with it. On my main laptop, I can access the account with username and password, on another computer, I'm locked out - because of security checks. The credentials don't matter. Which really bothers me. I'm effectively locked out the account.
Yeah, that can happen, it's one of the reasons why I don't recommend Google accounts anymore. Hardware/software factors ("new devices"...) trigger their automatic security checks and can easily lock you out of your account, even if you did nothing wrong.
Big providers are more and more tailoring to the lowest common denominator (people who can't manage passwords, get malware...) and pushing for mobile authentication.
So if you're someone who can manage passwords and is willing to accept responsibility, you get annoyed at best and locked out of your account at worst.
As someone who changes phone numbers periodically, I couldn't agree more. The worst part is all the services who use it as the only identifier. Services like WhatsApp, Signal, etc should AT LEAST offer an alternative means of identification, be it a user-chosen handle or an email address.
Don't they use phone numbers exactly because they are hard to get/change.
A phone number, at least in the UK, means you've been pre-verified in some way - users can't in general generate new phone numbers like they can email addresses.
Thus, less problems with anonymous users (eg trolling, spamming) and less abuse from named users as they can usually be traced using the phone number.
Google does let you have 2 factor setup without a phone number as a factor, but strangely you need a phone number temporarily. You add the phone number as a factor, then add other factors (such as Google Authenticator and Yubikeys) then delete the phone number.
> Google does let you have 2 factor setup without a phone number as a factor, but strangely you need a phone number temporarily.
I finally set up 2FA on my Google account this weekend.
It struck me as incredibly odd that Google requires a phone number to enable 2FA. NIST recently advocated against using SMS for OoB auth. [0]
If I had been an account hijacker with the password (e.g. obtained via phishing) it would have been ludicrously simple for me to enable 2FA on someone else's account.
I don't understand, I already have an Android phone with Google Play Services installed. Why isn't pressing "Okay" on my phone sufficient? It's certainly not any more insecure than an SMS.
What I view as even worse is on the first attempt the SMS didn't go through, so I asked Google to give me a call. Evidently my provider blocks whatever number they're using to call out of, so my phone never rang. But Google left the verification code anyway, AS A VOICEMAIL!
My inner tin foil hat says Google wants a phone number for other purposes.
Can you even create a working Google account without a phone number? When I last tried that, it seemed to be mandatory from the start.
It never seemed to be a security measure, but an anti-spam measure. You can buy captcha solving as a service for fractions of a cent, and bulk create thousands of accounts for sending spam. Buying working phone numbers is more hassle and more expensive, and will leave a payment trail if you use a service like Twilio.
This is new to me thank you. I am a little afraid of locking myself out so i am hesitate to just try it, i will read into it and give it a try. Seriously thanks.
For one I like to opt out of phone based 2fa whenever possible. It is just inconvenient as demonstrated in the post without any upside really. Most of the time it actually prevents me from doing things. Lose/forget your phone and you are in a very bad position. I'm satisfied with a secure password, thanks.
I was surprised about the long comment and was going to suggest to make it a blog post. Well :)
We definitly are on to somethere there, now lets hope some people pick it up and find better solutions.
You went more technical and provides more direct reasons, i learned a few things from your article. So kudos for that!
I'll make a long back to your post as well, seems like a good followup for interested people, and as said a little more detailed about the technical implications
This is a rant about an edge case: sure, it sucks for the author but even now few people move more than a few miles of where they are born.
Expecting a Swiss institution to seamlessly support banking from Thailand is, unfortunately, unrealistic. In the pre-internet age I doubt supported well either.
Seems like the author should have talked to their bank about how extra-territorial access works before moving rather than complaining about issues after the fact.
Thanks for your input. Obviously i did, i just did not expect loosing my sim card in the first week. My bank changed my account to paper TANs and i hope they will still support that for a while, after that i could probably opt in to carry a additional card reader device and auth that way.
Obviously i am a edge case. But while trying to fix my issue i encountered several companies who never even though about this kind of case. This is really all i want to reach here. Make people, especially those who implement such systems, think about a alternative or at least a proper workflow to fix issues like this.
I have access to everything i need now, its not like its unsolved and i am crying for help. It sucks that i cant enable 2FA on several sites, but well, for now i have to live with that.
A friend of mine switched their mobile phone number but forgot to change it in their Microsoft account. Now they can't completely use it because their is a one month waiting period to get the new number accepted without validating the account with the old number. Thankfully you can add also email addresses for that but we forgot that.
A lot of services use Authy, where you also "easily" can change your phone number. But it also takes 2 weeks, for someone that moves country monthly is just a suboptimal solution.
Sure it makes sense to slow this process down for protection purposes. But my "edge case" will only get more common when remote work will get more common.
Desktop authentication programs are no better. Authy has a terrible interface, which didn't tell me I should actually create an account to have my authentications synced. I had to use my email and password, so I thought I did have an account, but I did not. This caused me to lose authentication for various programs that luckily I was able to get back.
>And to make it worse, finding malware on a Android phone is way harder than noticing something is off on a desktop.
Thats if you notice. Plenty of malware is not going to be noticable if its programmed to actually steal something from you.
Phone numbers aren't a perfect way to verify things, but that is why you have both mobile authentication, and/or numbers. Many people still do not use smartphones, and even if they do, you can drop it or have it die in thousands of ways that will make the data unrecoverable. Phone numbers, largely, are not going to change for people.
The solution to protect against loss is to have a backup. Keep a backup SIM from your home country (or for every country in which you have an important account), so in case of loss you can switch over to your backup and you can avoid this fuckery. In my experience it's not hard to keep a prepaid SIM active, even if it's not in active use.
This advice also applies to your wallet too: have a second bank account (at least) and second set of credit cards (with different institutions) in a second wallet. If you lose your primary wallet, you can immediately switch over to your backup.
If phone number can't be validated, there should be other alternatives offered. It bugs me when I land in another country and the airport's WiFi hotspot wants my phone number. D'uh! It doesn't work yet until I get a local SIM, and I don't want to turn it on 'coz my operator will instantly charge for the incoming verification SMS and whatever else was queued for delivery. What about those who don't have a phone?
Please offer an alternative method. Like, allow Internet access for 2 minutes and do an email verification.
Verifying identity is the government's job. Since time immemorial, governments have been issuing identity documents for their citizens.
So when did it become the job of the telecom industry? So why would anyone think that a telephone number can robustly represent identity?
Of course there are privacy and ethics concerns with government-issued digital identities. And they can be addressed, after we first agree with whom primary responsibility for identity assurance ought to lie, because then we can remember that all the alternatives are worse.
Personally i rather give my name and my passport ID than my telephone number. At least with that data they cant annoy me or resell it to ad companies to annoy me.
Also i cant lose the knowing the number. I can easily replicate it on my own site (saving it in multiple places)
The same properties that make phone numbers bad also make email addresses, postal addresses and other IDs bad. Sometimes a weak option is better than no option at all.
E-mail is far from being perfect (you can get you account unilaterally closed by your provider or you can lose your domain name), but in practice I've been using the same address for more than a decade, and I have aliases that are meant to last forever (my almuni address), while in the same period I've had 5 different mobile numbers that I used for services like banking or IM, which is very inconvenient indeed.
The point with email is that i CAN control the address myself. Sure i use external services to send and receive, but if that fails for some reason i can still setup my own servers and still have access to my accounts. No way of doing that with phone numbers.
Postal addresses are Name + Address so get invalidated automatically when i move. Therefore i would argue are also better.
[+] [-] tomhoward|9 years ago|reply
But organisations like banks need to have systems that adequately balance security, usability and ubiquity, and it turns out that phone number authentication is optimal across those criteria.
Of course it's not perfect, but empirically it works better than the alternatives (otherwise they'd already have changed it), so we're stuck with it, no matter how much it might frustrate the likes of you and me.
I'm finally old enough to realise that for certain things, like banking, the world is better off that way, else it would would descend into chaos (even more than it already has), and nobody would be able to get anything done.
And maybe it's only possible for people like us to get away with existing on the fringes thanks to the fact that most people are keeping society going by getting things done, and for that reason it's perhaps justifiable that for things like this it's up to us to find a way to fit in with their ways of doing things.
[+] [-] herbst|9 years ago|reply
One of my banks offers the following 2 alternatives:
* Paper TAN (which most likely will go away in the next years)
* Card reader that scans your EC card
Both completely valid for my situation, my other bank does none of both. Both however are completely valid just not as confidient for the bank i guess.
My whole point is having alternatives, or at least a workflow to fix this issue for people who do not have a fixed phone number (anymore). Its sucks to have way less security as everybody else (because i cant enable 2FA) when email was always there and pretty much just as good. It sucks even more to not be able to create a account because somehow they dont want your current number (I mean how crazy is that that you can not make a Twitter account with one of the most popular Thai providers? How is that not a huge issue?)
[+] [-] lostboys67|9 years ago|reply
And for google if you have multiple people using the same google accounts which you would do for many google services 2FA can really mess you up eg if I WFH I cant login to some of our GA GTM and GSC accounts.
[+] [-] mtgx|9 years ago|reply
Do you really believe that? I was just reading someone comment's on Reddit yesterday about him working for a bank that only recently stopped working with credit card number transfers in the clear...
Some if not most of the banks just use ancient technology for the same reason most other big corporations do - they don't really "get" the security "value" so they don't bother to invest hundreds of millions of dollars in new infrastructure.
[+] [-] al2o3cr|9 years ago|reply
I don't get the distinction the author is trying to make: if you stop paying the renewal fees for them you'll find you "own" those domains exactly as much as you "own" a phone number.
[+] [-] jedimastert|9 years ago|reply
[+] [-] herbst|9 years ago|reply
Taking away a domain is a costly, long and usually failing process.
Sure i need to pay for both
I agree that i worded that badly tho
[+] [-] delinka|9 years ago|reply
In the US, you certainly can keep a phone number. You can take it from one telecom service provider to another. But you do indeed have to keep paying your bill to maintain this ability.
[+] [-] mark242|9 years ago|reply
Getting a new phone number set up is time consuming, even with a Twilio-like service. This is a good thing. Your IMEI number isn't portable, and until there is a physical token on your phone that is also portable, a phone number is the next best option.
[+] [-] herbst|9 years ago|reply
Sure i could call my bank one a month to change my telephone number, which i loose control of shortly after that (only valid for a few months, prepaid). This is hardly a solution.
On the other side i control my email address, my private key, my home address to a degree, but never my telephone number.
[+] [-] BugsJustFindMe|9 years ago|reply
[+] [-] photon-torpedo|9 years ago|reply
[+] [-] herbst|9 years ago|reply
My point rather was is that they can not take it away from me. My specific registrar only allows themself to invalidate domains for a few days when they contain swear words. I am not entirely sure if they can increase the price while i own it. In fact last time they increased the price it did not affect me because i already owned it but only new registered domains. Even the renew was on the old price.
[+] [-] atemerev|9 years ago|reply
[+] [-] HappyTypist|9 years ago|reply
[+] [-] aestetix|9 years ago|reply
I do not have a mobile phone, and have run into countless issues with so-called security systems which demand a mobile number, everything from airports to online services like Twitter. It's amazing how many services become unavailable when you have no phone number to provide.
[+] [-] glandium|9 years ago|reply
Extra bonus, I moved out of my country of origin a few years ago. The Visa card I have from a bank in my country of origin needs 2FA to be used to purchase things on the net. The second factor is a code sent by SMS. Even if I had a phone number that can receive a SMS, the bank won't let me change the configured phone number because they can only accept a phone number in my country of origin. IOW, I barely can use that card.
[+] [-] caseysoftware|9 years ago|reply
> A phone number is nothing you can just keep. Also i OWN my emails domains. Therefore they are under MY control.
No, no, no.
Just like phone numbers, your domain can be yanked out from under you. In many cases, their are procedures and appeals that can be worked out but realistically, if someone hijacks your DNS, it's over.
[+] [-] herbst|9 years ago|reply
Controlling my DNS is pretty much the same scenario as hacking my phone. Both can happen, both dont have to happen.
Edit:// I checked, taking my Domain from me if data is correct and i pay is close to impossible, costly and takes forever. This is really far from beeing the same as with a phone number
[+] [-] martin-adams|9 years ago|reply
I don't know if that means a mobile network can take your number away, but just like managing the registrar on a domain, you can manage the portability of your number.
[1] https://www.ofcom.org.uk/phones-telecoms-and-internet/inform...
[+] [-] herbst|9 years ago|reply
But just because you can does not mean people want that. Before it became normal to auth everywhere with phone numbers i happily changed my number yearly.
[+] [-] keypress|9 years ago|reply
I don't really care for a telephone either.
[+] [-] whyoh|9 years ago|reply
Big providers are more and more tailoring to the lowest common denominator (people who can't manage passwords, get malware...) and pushing for mobile authentication. So if you're someone who can manage passwords and is willing to accept responsibility, you get annoyed at best and locked out of your account at worst.
[+] [-] HappyTypist|9 years ago|reply
[+] [-] Legogris|9 years ago|reply
[+] [-] pbhjpbhj|9 years ago|reply
A phone number, at least in the UK, means you've been pre-verified in some way - users can't in general generate new phone numbers like they can email addresses.
Thus, less problems with anonymous users (eg trolling, spamming) and less abuse from named users as they can usually be traced using the phone number.
[+] [-] Buge|9 years ago|reply
[+] [-] kogepathic|9 years ago|reply
I finally set up 2FA on my Google account this weekend.
It struck me as incredibly odd that Google requires a phone number to enable 2FA. NIST recently advocated against using SMS for OoB auth. [0]
If I had been an account hijacker with the password (e.g. obtained via phishing) it would have been ludicrously simple for me to enable 2FA on someone else's account.
I don't understand, I already have an Android phone with Google Play Services installed. Why isn't pressing "Okay" on my phone sufficient? It's certainly not any more insecure than an SMS.
What I view as even worse is on the first attempt the SMS didn't go through, so I asked Google to give me a call. Evidently my provider blocks whatever number they're using to call out of, so my phone never rang. But Google left the verification code anyway, AS A VOICEMAIL!
My inner tin foil hat says Google wants a phone number for other purposes.
[0] www.securityweek.com/nist-denounces-sms-2fa-what-are-alternatives
[+] [-] ProblemFactory|9 years ago|reply
It never seemed to be a security measure, but an anti-spam measure. You can buy captcha solving as a service for fractions of a cent, and bulk create thousands of accounts for sending spam. Buying working phone numbers is more hassle and more expensive, and will leave a payment trail if you use a service like Twilio.
[+] [-] herbst|9 years ago|reply
[+] [-] a_imho|9 years ago|reply
[+] [-] herbst|9 years ago|reply
[+] [-] hlandau|9 years ago|reply
[+] [-] herbst|9 years ago|reply
We definitly are on to somethere there, now lets hope some people pick it up and find better solutions.
You went more technical and provides more direct reasons, i learned a few things from your article. So kudos for that!
I'll make a long back to your post as well, seems like a good followup for interested people, and as said a little more detailed about the technical implications
[+] [-] zimzam|9 years ago|reply
Expecting a Swiss institution to seamlessly support banking from Thailand is, unfortunately, unrealistic. In the pre-internet age I doubt supported well either.
Seems like the author should have talked to their bank about how extra-territorial access works before moving rather than complaining about issues after the fact.
Phone numbers are a red herring.
[+] [-] herbst|9 years ago|reply
Obviously i am a edge case. But while trying to fix my issue i encountered several companies who never even though about this kind of case. This is really all i want to reach here. Make people, especially those who implement such systems, think about a alternative or at least a proper workflow to fix issues like this.
I have access to everything i need now, its not like its unsolved and i am crying for help. It sucks that i cant enable 2FA on several sites, but well, for now i have to live with that.
[+] [-] tehabe|9 years ago|reply
[+] [-] herbst|9 years ago|reply
Sure it makes sense to slow this process down for protection purposes. But my "edge case" will only get more common when remote work will get more common.
[+] [-] devwastaken|9 years ago|reply
>And to make it worse, finding malware on a Android phone is way harder than noticing something is off on a desktop.
Thats if you notice. Plenty of malware is not going to be noticable if its programmed to actually steal something from you.
Phone numbers aren't a perfect way to verify things, but that is why you have both mobile authentication, and/or numbers. Many people still do not use smartphones, and even if they do, you can drop it or have it die in thousands of ways that will make the data unrecoverable. Phone numbers, largely, are not going to change for people.
[+] [-] kintamanimatt|9 years ago|reply
This advice also applies to your wallet too: have a second bank account (at least) and second set of credit cards (with different institutions) in a second wallet. If you lose your primary wallet, you can immediately switch over to your backup.
[+] [-] herbst|9 years ago|reply
[+] [-] casualstroller|9 years ago|reply
Please offer an alternative method. Like, allow Internet access for 2 minutes and do an email verification.
[+] [-] solatic|9 years ago|reply
So when did it become the job of the telecom industry? So why would anyone think that a telephone number can robustly represent identity?
Of course there are privacy and ethics concerns with government-issued digital identities. And they can be addressed, after we first agree with whom primary responsibility for identity assurance ought to lie, because then we can remember that all the alternatives are worse.
[+] [-] herbst|9 years ago|reply
Also i cant lose the knowing the number. I can easily replicate it on my own site (saving it in multiple places)
[+] [-] advisedwang|9 years ago|reply
[+] [-] hocuspocus|9 years ago|reply
[+] [-] herbst|9 years ago|reply
Postal addresses are Name + Address so get invalidated automatically when i move. Therefore i would argue are also better.