
Phone numbers are not proper verification - herbst
http://b1nary.ch/2017/01/16/phone-numbers-are-no-verification/
======
tomhoward
I know life can be frustrating when you don't fit the conventional profile.
It's been the same for me.

But organisations like banks need to have systems that adequately balance
security, usability and ubiquity, and it turns out that phone number
authentication is optimal across those criteria.

Of course it's not perfect, but empirically it works better than the
alternatives (otherwise they'd already have changed it), so we're stuck with
it, no matter how much it might frustrate the likes of you and me.

I'm finally old enough to realise that for certain things, like banking, the
world is better off that way, else it would would descend into chaos (even
more than it already has), and nobody would be able to get anything done.

And maybe it's only possible for people like us to get away with existing on
the fringes thanks to the fact that most people are keeping society going by
getting things done, and for that reason it's perhaps justifiable that for
things like this it's up to us to find a way to fit in with their ways of
doing things.

~~~
lostboys67
But the OP does have a point that you don't own the phone number your
countries PTT or Regulator does.

And for google if you have multiple people using the same google accounts
which you would do for many google services 2FA can really mess you up eg if I
WFH I cant login to some of our GA GTM and GSC accounts.

~~~
manigandham
> multiple people using the same google accounts

Why would you do this? Whether personal or work related, Google has always
said to keep accounts tied to an individual.

~~~
Nadya
Team managing a GA account for a client. Which is not uncommon for internet
marketing companies.

~~~
lostboys67
exactly any non trivial site that uses google products will have accounts used
by multiple people one person doesn't run all of proctor and gambles PPC

------
al2o3cr
"A phone number is nothing you can just keep. Also i OWN my emails domains."

I don't get the distinction the author is trying to make: if you stop paying
the renewal fees for them you'll find you "own" those domains exactly as much
as you "own" a phone number.

~~~
jedimastert
Having a phone number and a domain actually have way more similarities than I
think this guy wants to say. _You_ don't own your domain, your registrar does
and you are leasing it. Sure, generally you go year to year instead of month
to month, but in the end you don't own your domain either. And it's way easier
for someone to target you.

~~~
herbst
I dont know about other countries, carriers or contracts. But my contract
clearly stated that my phone provider can cancel the account anytime without
prior notice if they think that is necessary. Its a typical piece of text you
find in many service based business contracts. I dont claim to know what
exactly this means, but it surely is a difference to having to sue me for a
valid reason to be allowed to take over my domain. A process that not only
takes a while but also has several prior warnings.

Sure it is not _mine_ ether. But it is more mine than a phone number ever will
be.

Edit:// I tried to look it up, except trademark stuff (and even then its not
easy) i dont see any reason a domain could be taken away from the renter while
beeing paid for.

~~~
jedimastert
Looking at the Namecheap TOS[1], it says they can terminate you at any time.

[1][https://www.namecheap.com/legal/domains/registration-
agreeme...](https://www.namecheap.com/legal/domains/registration-
agreement.aspx)

~~~
herbst
You are twisting reality here. It says they warn me 30 days prior and if i do
not move my domains until then they will terminate it.

Which makes sense, they dont have, for some reason, keep me as client if they
dont want to.

~~~
jedimastert
I missed that part; that's my bad.

------
mark242
This rant is exactly _why_ phone numbers are a good way to do two-factor. The
author lost control of their phone number ("as i quit the account shortly...")
and subsequently had an extremely hard time authenticating to their bank,
Google, Twitter, etc.

Getting a new phone number set up is time consuming, even with a Twilio-like
service. This is a good thing. Your IMEI number isn't portable, and until
there is a physical token on your phone that is also portable, a phone number
is the next best option.

~~~
herbst
Author here. I dont have a fixed telephone number anymore. How to handle that?
I dont see why i would need one except for authentification purposes ether. My
point is that depending on people have a phone number, and even more one that
is widely supported (which my current numbers are not) is simply wrong.

Sure i could call my bank one a month to change my telephone number, which i
loose control of shortly after that (only valid for a few months, prepaid).
This is hardly a solution.

On the other side i control my email address, my private key, my home address
to a degree, but never my telephone number.

~~~
Freak_NL
In 2008 I moved to Japan from The Netherlands for a year as a graduate
student. I didn't want to bother with my Dutch phone number there, so I looked
for alternatives. My bank uses one time codes that are normally sent to you
via SMS when you perform a transaction. These can also be pregenerated and
sent to you via mail. The online banking environment simply asks me to enter
code number _x_.

I never changed back, so now I receive a new sheet of numbered codes whenever
I've used a certain number of them. Nowadays I scan this sheet of codes, run
an OCR task, and import the codes in my password manager¹. So when the bank
asks for code 519:

    
    
        pass -c bank/ing/tan/519
    

And I have the code on my clipboard.

I wonder how long ING (my bank) will allow this method to exist… The
alternative used by Dutch banks is a small token generating device they
provide to all customers (I think only ING mentioned above doesn't do this
yet). This requires no phone number either, just the (tiny) physical device.

I wonder what happens if I tell my bank that I no longer have a phone number I
can be reached at?

1: [https://www.passwordstore.org/](https://www.passwordstore.org/)

~~~
nom
Here in Germany we get a Digipass 2FA device from our bank (something like
this [0]). For every transaction, you put your banking card in, hold it up to
the flashing pattern on the screen, and it creates a TAN for you. Very
convenient and secure.

I thought this is more common in Europe, but apparently it's not? Although,
our banks are increasingly pushing towards App-based 2FA because it's
cheaper.. but I'm very confident they'll continue to support as it is the
common way to do online banking.

0: [https://www.vasco.com/products/two-factor-
authenticators/har...](https://www.vasco.com/products/two-factor-
authenticators/hardware/card-readers/digipass-836.html)

~~~
wjdp
UK here, quite a few banks have used calculator style[0] devices for 2FA. You
insert your chip card, enter the PIN and receive a code. The devices
themselves, while branded, seem identical across banks and accounts (I can use
one I got from bank A for bank B and vice versa).

Banks now have introduced app based versions of the above, useful if you've
not got the calculator or your card handy, but I don't believe they're looking
to phase out the physical device just yet.

Seems similar to your device, but instead of an optical sensor to receive a
code from the web browser you enter the account code and money amount of a
transfer manually.

[0]:
[https://upload.wikimedia.org/wikipedia/commons/thumb/0/05/Ba...](https://upload.wikimedia.org/wikipedia/commons/thumb/0/05/Barclays_pinsentry.jpg/250px-
Barclays_pinsentry.jpg)

------
photon-torpedo
Somewhat off-topic, but honest question: In the article the author says that
he OWNs his email domains. Is this really possible? In my understanding it's
more like you rent the domain name from the registrar, and you need to keep
renewing it. My question is (please forgive my ignorance in this matter): what
prevents the registrar from some day raising the price for your domain to
astronomical values? Maybe some well-funded business has suddenly decided that
they want your domain name and they have no problem offering thousands of
dollars for it. When the domain name is up for renewal, what prevents the
registrar from passing it to the highest bidder?

~~~
herbst
Author here, this is a valid thought indeed.

My point rather was is that they can not take it away from me. My specific
registrar only allows themself to invalidate domains for a few days when they
contain swear words. I am not entirely sure if they can increase the price
while i own it. In fact last time they increased the price it did not affect
me because i already owned it but only new registered domains. Even the renew
was on the old price.

~~~
rocqua
A registrar that invalidates domains just for having swear words is bounds
beyond what is acceptable here in the west.

From your other posts, I gather you live in south-east asia, so I guess it's a
local domain.

~~~
herbst
My domain is actually .ch. I am not entirely sure how this goes, and i highly
assume swear words are not what i actually ment. They just reserve their right
to invalidate domains a few days in case they are inappropriate (i think that
is the exact phrasing they use). This is also true for .eu, .de, .it, .li, .at
but i doubt it happens often. Maybe it only refers to using registered
trademarks? Dunno

I just tried to look it up. Seems it mostly happens for things like
"Trademarksucks" which is afaik illegal (smearing or whatever the law is
called) in most of europe.

------
BugsJustFindMe
This hits me too because I travel a lot. Try installing Signal on your phone
when your only connection to the world is over WiFi. Try getting an SMS when
you're not on a compatible network. You can't. That doesn't mean I don't have
my phone with me. The requirement for a contactable phone number instead of an
email address or other message is like pretending that your IP address and
your hardware MAC address are the same thing, when they're obviously not. One
identifies an actual piece of equipment, and the other is literally just bits
on the wind.

------
aestetix
+1

I do not have a mobile phone, and have run into countless issues with so-
called security systems which demand a mobile number, everything from airports
to online services like Twitter. It's amazing how many services become
unavailable when you have no phone number to provide.

~~~
glandium
I have a mobile phone number, but it's VoIP and can't receive SMS. That
excludes me from many types of services that absolutely want to send an SMS.

Extra bonus, I moved out of my country of origin a few years ago. The Visa
card I have from a bank in my country of origin needs 2FA to be used to
purchase things on the net. The second factor is a code sent by SMS. Even if I
had a phone number that can receive a SMS, the bank won't let me change the
configured phone number because they can only accept a phone number in my
country of origin. IOW, I barely can use that card.

~~~
herbst
Welcome to my world. I have to call my mum when i want to spend something on
my credit card because she now receives the verification SMS.

Not to mention that i had to lie to them as have a friend from my home country
call them (imposing as me) to change the phone number (which is most likely
illegal in itself) because they could not accept calls from my current
country...

~~~
fenrisbear
I was an exchange student in CA for a year. During my year, I had to interact
with my very local and small bank in Norway.

I managed to persuade one employee to change the attached cellphone number to
my temporary american one, but they initially didn't think it work.

It was a great day when I got access to my money again.

------
caseysoftware
FTA:

> _A phone number is nothing you can just keep. Also i OWN my emails domains.
> Therefore they are under MY control._

No, no, no.

Just like phone numbers, your domain can be yanked out from under you. In many
cases, their are procedures and appeals that can be worked out but
realistically, if someone hijacks your DNS, it's over.

~~~
herbst
To take my domain legally from me there is a complicated procedure involved,
its nothing that can just happen from today to tomorrow because a third party
wanted it. Which is in fact the case with phone numbers. At least the one i
actually read the contract for.

Controlling my DNS is pretty much the same scenario as hacking my phone. Both
can happen, both dont have to happen.

Edit:// I checked, taking my Domain from me if data is correct and i pay is
close to impossible, costly and takes forever. This is really far from beeing
the same as with a phone number

------
martin-adams
In the UK mobile networks are required to offer number portability[1].

I don't know if that means a mobile network can take your number away, but
just like managing the registrar on a domain, you can manage the portability
of your number.

[1] [https://www.ofcom.org.uk/phones-telecoms-and-
internet/inform...](https://www.ofcom.org.uk/phones-telecoms-and-
internet/information-for-industry/numbering/number-portability-info)

~~~
herbst
You can in most countries as far as i know. But in my example i quit my
account (so made it prepaid essentially) and lost the SIM card, which means i
lost my account forever. Now it waits for the simcard to invalidate and then
will most likely sell the number again. It was a "easy number" (as in people
remember that number after telling them once) so i assume it will be resold
rather fast.

But just because you can does not mean people want that. Before it became
normal to auth everywhere with phone numbers i happily changed my number
yearly.

~~~
richthegeek
You'd be surprised. Number portability is a big pain in the arse for us
(determining the network from an MSISDN is important in my industry) so it's
always a nice bonus when we come across countries without it.

Most recently, Philippines: [http://www.prefix.ph/smart-users/updated-
philippine-mobile-p...](http://www.prefix.ph/smart-users/updated-philippine-
mobile-prefixes-for-2016/)

~~~
herbst
This is a really interesting example! Thank you, i obviously only thought
about my rather small digitalnomad bubble & issues. But this is a good example
for the same problem on a much bigger scale.

Once again it shows you cant just close your eyes and judge from yourself to
others.

------
keypress
I've got an odd issue with a Google mail account. That has no email or phone
number associated with it. On my main laptop, I can access the account with
username and password, on another computer, I'm locked out - because of
security checks. The credentials don't matter. Which really bothers me. I'm
effectively locked out the account.

I don't really care for a telephone either.

~~~
whyoh
Yeah, that can happen, it's one of the reasons why I don't recommend Google
accounts anymore. Hardware/software factors ("new devices"...) trigger their
automatic security checks and can easily lock you out of your account, even if
you did nothing wrong.

Big providers are more and more tailoring to the lowest common denominator
(people who can't manage passwords, get malware...) and pushing for mobile
authentication. So if you're someone who can manage passwords and is willing
to accept responsibility, you get annoyed at best and locked out of your
account at worst.

~~~
HappyTypist
Are you using long, automatically generated passwords? I've had two very
similar Google accounts that I log in at the same time on PCs, and one account
with a 15 char password kept wanting additional checks. It stopped when I
changed the password to 16 chars.

~~~
keypress
Over 16 chars, not auto generated.

------
Legogris
As someone who changes phone numbers periodically, I couldn't agree more. The
worst part is all the services who use it as the only identifier. Services
like WhatsApp, Signal, etc should AT LEAST offer an alternative means of
identification, be it a user-chosen handle or an email address.

~~~
pbhjpbhj
Don't they use phone numbers exactly because they are hard to get/change.

A phone number, at least in the UK, means you've been pre-verified in some way
- users can't in general generate new phone numbers like they can email
addresses.

Thus, less problems with anonymous users (eg trolling, spamming) and less
abuse from named users as they can usually be traced using the phone number.

~~~
tyingq
>A phone number, at least in the UK, means you've been pre-verified in some
way

This seemed interesting to me, so I tried signing up for a UK voip number at
the sipgate.co.uk site. They do ask for an address, but they accept anything
valid, like the address of a university. Had a 056-0003 XXXX phone number in
less than a minute.

------
Buge
Google does let you have 2 factor setup without a phone number as a factor,
but strangely you need a phone number temporarily. You add the phone number as
a factor, then add other factors (such as Google Authenticator and Yubikeys)
then delete the phone number.

~~~
kogepathic
> Google does let you have 2 factor setup without a phone number as a factor,
> but strangely you need a phone number temporarily.

I finally set up 2FA on my Google account this weekend.

It struck me as incredibly odd that Google requires a phone number to enable
2FA. NIST recently advocated against using SMS for OoB auth. [0]

If I had been an account hijacker with the password (e.g. obtained via
phishing) it would have been _ludicrously simple_ for me to enable 2FA on
someone else's account.

I don't understand, I already have an Android phone with Google Play Services
installed. Why isn't pressing "Okay" on my phone sufficient? It's certainly
not any more insecure than an SMS.

What I view as even worse is on the first attempt the SMS didn't go through,
so I asked Google to give me a call. Evidently my provider blocks whatever
number they're using to call out of, so my phone never rang. But Google left
the verification code anyway, AS A VOICEMAIL!

My inner tin foil hat says Google wants a phone number for other purposes.

[0] www.securityweek.com/nist-denounces-sms-2fa-what-are-alternatives

~~~
herbst
> My inner tin foil hat says Google wants a phone number for other purposes.

Just like Twitter these days. "Telephone number is optional and for your
security". 2 minutes later my new accounts are always locked and i need to
provide a telephone number to enable it again. They used SMS until recently,
now they use a call service which only works with a fraction of numbers.
(Tried 2 thai, 1 cambodian number, none accepted)

I seriously dont get what they are trying to do other than creating a database
of telephone numbers and locking users in third world countries out.

Also agree with that Google actually knows enough to just verifiy it based on
my phone. Telephone number is not necessary, especially i "verified" my
account in the past with a phone call, why again?

~~~
Freak_NL
Steam does this as well. Even if you add your phone number after a lot of
nagging, Steam still keeps bothering you to install their Android or IOS
authenticator software (even if you can't). I wish Steam would consider Fido
U2F as well, but getting through to anyone who can influence this at Valve is
nigh impossible.

It seems to be the industry status quo now to assume that everyone uses a
smartphone running either Android or IOS, and that everyone wants to use that
device for authentication. Meanwhile the tech giants (especially those
involved in advertising) probably like having that nice unique alphanumerical
identifier for your profile — it tends to be the same for all services you
use.

I really hope Fido U2F becomes a de facto alternative for 2FA.

~~~
Jordrok
Yeah, I just ran into something similar a few days ago. Every once in a while
I used to go through all my trading cards and bulk sell all my duplicates for
a few cents each, but apparently now they require you to use some combination
of SMS and mobile app authentication to post anything on the market. Clicking
through the confirmation email they send you isn't enough on its own.

So now I just don't bother with trading cards at all.

~~~
Freak_NL
My experience exactly. I used to sell those silly cards the moment I got them,
just to get a little extra balance in my Steam account for the next purchase.
Now I just ignore them; selling them is way to much of a hassle to be worth
the €0,05 you get for a card. (Who buys those things anyway? Weird market.)

------
a_imho
For one I like to opt out of phone based 2fa whenever possible. It is just
inconvenient as demonstrated in the post without any upside really. Most of
the time it actually prevents me from doing things. Lose/forget your phone and
you are in a very bad position. I'm satisfied with a secure password, thanks.

~~~
herbst
In most cases i totally agree. Some places enforce it tho :/

------
zimzam
This is a rant about an edge case: sure, it sucks for the author but even now
few people move more than a few miles of where they are born.

Expecting a Swiss institution to seamlessly support banking from Thailand is,
unfortunately, unrealistic. In the pre-internet age I doubt supported well
either.

Seems like the author should have talked to their bank about how extra-
territorial access works before moving rather than complaining about issues
after the fact.

Phone numbers are a red herring.

~~~
herbst
Thanks for your input. Obviously i did, i just did not expect loosing my sim
card in the first week. My bank changed my account to paper TANs and i hope
they will still support that for a while, after that i could probably opt in
to carry a additional card reader device and auth that way.

Obviously i am a edge case. But while trying to fix my issue i encountered
several companies who never even though about this kind of case. This is
really all i want to reach here. Make people, especially those who implement
such systems, think about a alternative or at least a proper workflow to fix
issues like this.

I have access to everything i need now, its not like its unsolved and i am
crying for help. It sucks that i cant enable 2FA on several sites, but well,
for now i have to live with that.

------
tehabe
A friend of mine switched their mobile phone number but forgot to change it in
their Microsoft account. Now they can't completely use it because their is a
one month waiting period to get the new number accepted without validating the
account with the old number. Thankfully you can add also email addresses for
that but we forgot that.

~~~
herbst
A lot of services use Authy, where you also "easily" can change your phone
number. But it also takes 2 weeks, for someone that moves country monthly is
just a suboptimal solution.

Sure it makes sense to slow this process down for protection purposes. But my
"edge case" will only get more common when remote work will get more common.

------
devwastaken
Desktop authentication programs are no better. Authy has a terrible interface,
which didn't tell me I should actually create an account to have my
authentications synced. I had to use my email and password, so I thought I did
have an account, but I did not. This caused me to lose authentication for
various programs that luckily I was able to get back.

>And to make it worse, finding malware on a Android phone is way harder than
noticing something is off on a desktop.

Thats if you notice. Plenty of malware is not going to be noticable if its
programmed to actually steal something from you.

Phone numbers aren't a perfect way to verify things, but that is why you have
both mobile authentication, and/or numbers. Many people still do not use
smartphones, and even if they do, you can drop it or have it die in thousands
of ways that will make the data unrecoverable. Phone numbers, largely, are not
going to change for people.

------
akjainaj
Saying phone numbers are no proper verification because some people refuse to
have mobiles is like saying fingerprint verification is no proper verification
because some people don't have fingers... Well, no. It's worse.

You've chosen to be a "nomad", "outcast", whatever it is, well, then live by
your word.

~~~
herbst
Interesting conclusion and now i am curious what the police/visa offices do
with people without fingers. Most likely they offer a alternative, which is
all i am ranting for here.

If i choose to have "less" security by using email (in fact its more, but
thats a different topic) it should be my choice. I should not be forced to own
a fixed telephone number, especially for services that just dont know any
better. I should also not be forced to give away possible access to my
accounts just because i tend to change phone numbers.

Edit:// To your edit. With "nomad" i dont mean i live like a outcast. I am
currently living as digitalnomad. I have a home address and earn money, i just
dont have a fixed telephone number anymore.

~~~
akjainaj
If people had the choice of not using a mobile phone when creating and
account, 1) recovering lost accounts would be much harder (and that's actual
support, it costs them money, so they want to avoid it) and 2) fighting spam
would also be harder (everybody gets to create an account and send mail with
it? Wow, that's really going to cost them money!)

Anyway there are mail providers who won't ask you for a mail. Protonmail and
GMX come to my mind.

~~~
herbst
Valid arguments indeed. Many roll well with not allowing common mail providers
(there are available lists) and as i own my own domains i welcome that.

If they require telephone number i would at least expect them to support a
wide range of providers and not only some. Like i really cant get over the
fact that Twitter locks out the most popular Thai provider.

They however could also send me a letter, or have me auth with Authy/Google
Auth to make a single identity system. Maybe even requiring my passport number
+ name. Its not like phone would be the only solution.

And yeah i see that may is hard for small providers, but it shouldnt be hard
for bigger ones. Or like in Twitters case, its not about having a single
account anyway, you can have hundreds with the same phone number, but not a
single with a thai phone carrier.

Edit:// To clearify i personally have no issue with initial confirmation over
SMS, i mean i own a phone number most of the time. I just not own it for
longer than a month, so it is not valid for me for further authentication.

~~~
akjainaj
You live in Switzerland. If you can create a phone number with a Thai carrier
from there, I am sure you understand why Twitter refuses to deal with such a
carrier.

~~~
herbst
I dont. I live in Thailand right now, tomorrow maybe in Vietnam. Right now i
might be a edge case but remote work is growing fast.

You can create throwaway SMS numbers for a few cents with several online
providers, some even accept Bitcoin payments and dont ask for a name and
Twitter accepts them happily. Its just the third party provider they use that
did not implement that specific carrier yet.

Edit:// Also i am curious now why you think i had a thai phone number while
living in switzerland? :D There are countries like austria that dont even ask
for a passport for prepaid directly next to it, why would i go thai?

~~~
akjainaj
The "about" section of your website says you live in Switzerland.

At least here it's not legal for a mobile operator to give you a phone number
if they don't have your ID (not even a prepaid number) so I supposed it was
the same in the whole EU. Therefore I imagined you heard somewhere there's an
operator in Thailand that lets you get a number without giving an ID, maybe
even for free, so you wanted to get one to auth in Twitter. But such a system
would be abused by spammers so Twitter had blocked that operator already.

Yes, quite the elucubration, I know.

~~~
herbst
Ah ok lol i see. I think i wrote "based in Switzerland" which mostly means
thats where i store my desktop pc :) Actually in thailand, cambodia, vietnam
and so on you also have to provide your passport. The only place that i know
of that does not (until recently at least) is Austria. Most webservices dont
require a passport tho, even for european numbers. But i have no idea about
the legality so no idea.

------
casualstroller
If phone number can't be validated, there should be other alternatives
offered. It bugs me when I land in another country and the airport's WiFi
hotspot wants my phone number. D'uh! It doesn't work yet until I get a local
SIM, and I don't want to turn it on 'coz my operator will instantly charge for
the incoming verification SMS and whatever else was queued for delivery. What
about those who don't have a phone?

Please offer an alternative method. Like, allow Internet access for 2 minutes
and do an email verification.

------
kintamanimatt
The solution to protect against loss is to have a backup. Keep a backup SIM
from your home country (or for every country in which you have an important
account), so in case of loss you can switch over to your backup and you can
avoid this fuckery. In my experience it's not hard to keep a prepaid SIM
active, even if it's not in active use.

This advice also applies to your wallet too: have a second bank account (at
least) and second set of credit cards (with different institutions) in a
second wallet. If you lose your primary wallet, you can immediately switch
over to your backup.

~~~
herbst
Heh, i actually tried. They would invalidate my other sim if i get a second
one. There is no such thing as "backup sim" with the provider i was with.

~~~
kintamanimatt
Then use a different provider.

I'm not trying to suggest you get a redundant SIM on the same account; that's
not possible. You get a second prepaid account (with a different number) with
either the same or a different carrier.

~~~
herbst
How would that solve the initial issue tho? I still would have to change my
phone number with dozens of different services.

~~~
kintamanimatt
If you're looking for a work-free backup/restore solution, those don't exist.
The point is that you'll at least have immediate access to an active number
from your home country that you can give to your banks or whatever. This means
your banks (and others) aren't going to be weirded out by that non-domestic
phone number, which is a problem you were describing.

Sometimes you'll be able to port your number too.

------
hlandau
(This comment ended up turning into a blog post in itself, so I moved it:
[https://www.devever.net/~hl/e164](https://www.devever.net/~hl/e164) )

~~~
herbst
I was surprised about the long comment and was going to suggest to make it a
blog post. Well :)

We definitly are on to somethere there, now lets hope some people pick it up
and find better solutions.

You went more technical and provides more direct reasons, i learned a few
things from your article. So kudos for that!

I'll make a long back to your post as well, seems like a good followup for
interested people, and as said a little more detailed about the technical
implications

------
solatic
Verifying identity is the government's job. Since time immemorial, governments
have been issuing identity documents for their citizens.

So when did it become the job of the telecom industry? So why would anyone
think that a telephone number can robustly represent identity?

Of course there are privacy and ethics concerns with government-issued digital
identities. And they can be addressed, after we first agree with whom primary
responsibility for identity assurance ought to lie, because then we can
remember that all the alternatives are worse.

~~~
herbst
Personally i rather give my name and my passport ID than my telephone number.
At least with that data they cant annoy me or resell it to ad companies to
annoy me.

Also i cant lose the knowing the number. I can easily replicate it on my own
site (saving it in multiple places)

------
advisedwang
The same properties that make phone numbers bad also make email addresses,
postal addresses and other IDs bad. Sometimes a weak option is better than no
option at all.

~~~
hocuspocus
E-mail is far from being perfect (you can get you account unilaterally closed
by your provider or you can lose your domain name), but in practice I've been
using the same address for more than a decade, and I have aliases that are
meant to last forever (my almuni address), while in the same period I've had 5
different mobile numbers that I used for services like banking or IM, which is
very inconvenient indeed.

~~~
craigds
I've had the same mobile number for the last fifteen years too. In NZ at least
(not sure about other countries) it's trivial to take your number with you
when you get a new SIM from any mobile provider. Though this wouldn't work
across countries obviously.

~~~
hocuspocus
As a developer in Europe, moving across countries isn't a particularly crazy
pattern I believe :)

Also in some countries keeping your number isn't cheap. And even when it's
technically easy, your phone plan might be provided by your employer, in this
case it might be very tricky to get your number migrated when you change jobs.

~~~
herbst
And i highly assume we are a growing amount of people (remote working and
actually moving). We may be a rare edge case now, but may aint in a few years
anymore.

And yes keeping my phone number as it was would cost me $80/month. With a
provider i hated like the pest.

------
known
[https://www.truecaller.com/](https://www.truecaller.com/) gives the name of
phone owner

------
Zak
Coinbase blocked my account from buying and refused to explain themselves
after I changed the phone number associated with Authy.

If true (they refused to explain themselves, after all), that's an incredibly
backwards approach for a company based on the (possible) future of money to
take.

~~~
herbst
Not sure where i got that from, i dont have that written. Coinbase was super
nice but they had a issue with the API callback from Authy which did not
reenable my account again.

Coinbase however blocks accounts for gambling, but they usually mention the
why.

~~~
Zak
I didn't participate in any gambling or do business with somebody whose
business includes gambling to my knowledge. I barely used the account at all
after initially setting it up when building something for a client (an
entirely non-shady company that you've probably heard of) that used their API.

They said this:

 _Unfortunately a manual review has determined that you are ineligible to use
the Coinbase platform to purchase Bitcoin. We’re sorry for any inconvenience
that this may cause._

And when asked why, they said this:

 _Sadly, I don’t have any information before me to answer as to why such a
decision was taken, but this decision is final._

The only thing I can think of that I did that might have been suspicious was
to access the service from outside the US and switch Authy to a non-US phone
number after previously using a US phone number.

------
collin_u_out
I never get these rants. You want me to take something that works well for
100% (Your case is less than a rounding error), and introduce security
weaknesses for you? You've decided to be a non-conformist, and then want the
100% to conform to you. Sorry, but no.

~~~
herbst
Like your name. Its a rant, thats what they are for, arent they? And no, i am
pointing at a growing problem. Since i move within a "digitalnomad" scene i
noticed this is a common topic and there are millions of suboptimal solutions
to scope around it. I am surely not alone, maybe not 1% yet but remote work is
growing VERY fast.

Also i dont want anything to be 100% comform to me. No idea where you got this
from. I am really just trying to put some light on a issue i see. All i
actually expect is having people think about this issue and if possible offer
solutions if not offer a workflow to not make this a complete pain.

~~~
collin_u_out
Sorry, you're absolutely right, and you should express this. My day job, I
just fight with people who want to do things like this, but with no clue as to
the costs and the alternatives that would need to be implemented. But somebody
will figure it out, either writing a rant, or maybe reading one, and get an
idea... So we should have this, but at this point, margins are so low that we
need to start ignoring niches that are less than single digit percents. And it
looks like things are about to get tighter.

~~~
herbst
I see where you are coming from no worries.

------
diegoprzl
FreeOTP or Google Authenticator are a better alternative to SMS. I have three
bank accounts and, sadly, none offer that as a option.

If you need SMS verification of some service you can buy a Russian or Ukranian
number for a few bucks. I do that when I want a throwaway WhatsApp.

~~~
albybisy
How and where do you buy Russian/Ukrainian phone numbers?

------
MichaelBurge
Phone numbers work between phone companies. Are they administered by the
government or other central organization? I wonder if you could own phone
numbers if you bought them straight from the source.

~~~
herbst
If affordable that would be interesting indeed. If i could own it on similar
terms like a domain and just choose my provider, but still _own_ it for most
part.

Right now it is usual that you can keep your number with other providers, but
you still never actually own it.

------
WhitneyLand
Why not just keep your original phone number on the lowest cost possible plan?
It's also good for emergencies.

~~~
herbst
I did kind of. I hated my carrier really bad (they are really bad, and i
expressed my hate) so i went with a prepaid plan. Issue is after i lost the
sim there is no way for me to get the same number again.

They wanted $500 from me to "downgrade" my account from the $80 i paid then to
about $40 i would have paid after that. I said fuck you.

------
calanya
The author's concerns are well justified, however they suggest to provide an
alternative.

~~~
herbst
Thank you. I dont really get the however. Do you mean i missed to provide a
solution? Thats true, other than my github example i did not provide any
solutions.

My current mission is to plant this thought into peoples heads, especially
those who implement such systems (why i posted on HN). All i really want right
now is a workflow to help people having similar issues, if a company is aware
when they build such a system they will also be able to find individual
solutions that fit into their market.

Like my bank can offer paper tan, Github can offer private key
authentification, and Twitter should not ask for a telephone number at all
because they allow multiple accounts per number anyway. Also 2FA should be
possible with Email and not only SMS.

