I know life can be frustrating when you don't fit the conventional profile. It's been the same for me.
But organisations like banks need to have systems that adequately balance security, usability and ubiquity, and it turns out that phone number authentication is optimal across those criteria.
Of course it's not perfect, but empirically it works better than the alternatives (otherwise they'd already have changed it), so we're stuck with it, no matter how much it might frustrate the likes of you and me.
I'm finally old enough to realise that for certain things, like banking, the world is better off that way, else it would would descend into chaos (even more than it already has), and nobody would be able to get anything done.
And maybe it's only possible for people like us to get away with existing on the fringes thanks to the fact that most people are keeping society going by getting things done, and for that reason it's perhaps justifiable that for things like this it's up to us to find a way to fit in with their ways of doing things.
I shouldnt have mentioned banking, it seems that this is what most people agree with that numbers make sense. And hence i agree to that as well.
One of my banks offers the following 2 alternatives:
* Paper TAN (which most likely will go away in the next years)
* Card reader that scans your EC card
Both completely valid for my situation, my other bank does none of both. Both however are completely valid just not as confidient for the bank i guess.
My whole point is having alternatives, or at least a workflow to fix this issue for people who do not have a fixed phone number (anymore). Its sucks to have way less security as everybody else (because i cant enable 2FA) when email was always there and pretty much just as good. It sucks even more to not be able to create a account because somehow they dont want your current number (I mean how crazy is that that you can not make a Twitter account with one of the most popular Thai providers? How is that not a huge issue?)
But for every new system/feature/mechanism a service provider builds to accommodate every increasingly narrow edge-case, there's a huge additional cost and commitment in development, maintenance and support.
So the reality is it just comes down to dollars. If you're in the mainstream, you'll be looked after. If you're in the fringes, well, you're in the situation you're in now. That's how the world works.
Whilst complaining might help you to feel better, it's not going to change much unless there are big dollars at stake for the service provider.
I agree for the most part, but i also hope that my rant helps to put this thought into peoples heads. With several smaller providers i had to talk to when i lost my number it became clear they simply did not spend a single thought on this edge case yet. Some of them now have a workflow to solve this cases, which is really all i am asking for.
But the OP does have a point that you don't own the phone number your countries PTT or Regulator does.
And for google if you have multiple people using the same google accounts which you would do for many google services 2FA can really mess you up eg if I WFH I cant login to some of our GA GTM and GSC accounts.
The vast majority of people keep the same phone number for a long period of time; at least a few years in most cases, and several decades in some cases.
The telephony system relies on that being the case, which is why it has the nice byproduct of being an identity verification channel for banks and other service providers.
So it doesn't matter who strictly 'owns' the phone number. What matters is that it can be relied on to be linked to a given person over an extended period of time, which it usually is, which is why the system usually works. And when it doesn't work, a fallback process is available, which makes the system work even better. So all's good!
It's easy to point out ways in which the system fails in all kinds of scenarios where people don't/can't fit in with the way the system is designed, but it's ultimately futile.
Service providers will run their system in whatever way is secure enough and usable enough for enough of their customers to be satisfied to stay as customers. There's really nothing more to say about it!
exactly any non trivial site that uses google products will have accounts used by multiple people one person doesn't run all of proctor and gambles PPC
Do you really believe that? I was just reading someone comment's on Reddit yesterday about him working for a bank that only recently stopped working with credit card number transfers in the clear...
Some if not most of the banks just use ancient technology for the same reason most other big corporations do - they don't really "get" the security "value" so they don't bother to invest hundreds of millions of dollars in new infrastructure.
I'm also old enough to realise that patterns of conduct across global industries like this, don't emerge for purely dumb reasons.
"Don't bother to invest" could be a cynical way of saying they can't justify the financial cost, personnel commitment, organisational upheaval and multi-dimensional risk to adopt the new infrastructure.
But it's not as if they're sitting around doing nothing; all the banks have vast teams of people constantly maintaining and improving their software and infrastructure, doing whatever is necessary to minimise losses and maximise gains.
Those who don't do it enough or do it right go out of business.
"A phone number is nothing you can just keep. Also i OWN my emails domains."
I don't get the distinction the author is trying to make: if you stop paying the renewal fees for them you'll find you "own" those domains exactly as much as you "own" a phone number.
Having a phone number and a domain actually have way more similarities than I think this guy wants to say. You don't own your domain, your registrar does and you are leasing it. Sure, generally you go year to year instead of month to month, but in the end you don't own your domain either. And it's way easier for someone to target you.
I dont know about other countries, carriers or contracts. But my contract clearly stated that my phone provider can cancel the account anytime without prior notice if they think that is necessary. Its a typical piece of text you find in many service based business contracts. I dont claim to know what exactly this means, but it surely is a difference to having to sue me for a valid reason to be allowed to take over my domain. A process that not only takes a while but also has several prior warnings.
Sure it is not _mine_ ether. But it is more mine than a phone number ever will be.
Edit:// I tried to look it up, except trademark stuff (and even then its not easy) i dont see any reason a domain could be taken away from the renter while beeing paid for.
The essential difference though is that mobile carriers are less trustworthy than the most trustworthy domain registrars. Plus mobile networks are usually controlled by a single authority in each country, whereas the Internet and its domain name system is a bit more democratic. It's all relative of course, but still.
So given a choice I'd rely on my email address more than "my" phone number.
They also have the "remove anytime thing" but they warn you and give you 30 days to move your domains. So if they decide to close my account, they dont take my domains.
There may be a difference in contractual terms, but without much of a difference in substance.
The whole telephony system relies on people keeping the same phone number.
Individuals and families rely on it as a most basic necessity. Businesses invest vast sums of money promoting awareness of their phone number.
If telco providers went around taking people's phone numbers away without very good reason, there'd be uproar, and the telco system (and indeed, to some degree, the economy), would cease to work.
I think i said this multiple times in this thread (and probably even in the article, not sure) but i am fully aware how unlikely this is. I just used it as additional argument that now many used to pick on.
I never heard of anyone got his number taken when they paid the fee. I highly assume most companies never done that actually.
Edit:// Its not actually the point tho, it is just a (obviously not that well) argument for my point
In the US, you certainly can keep a phone number. You can take it from one telecom service provider to another. But you do indeed have to keep paying your bill to maintain this ability.
This rant is exactly why phone numbers are a good way to do two-factor. The author lost control of their phone number ("as i quit the account shortly...") and subsequently had an extremely hard time authenticating to their bank, Google, Twitter, etc.
Getting a new phone number set up is time consuming, even with a Twilio-like service. This is a good thing. Your IMEI number isn't portable, and until there is a physical token on your phone that is also portable, a phone number is the next best option.
Author here. I dont have a fixed telephone number anymore. How to handle that? I dont see why i would need one except for authentification purposes ether. My point is that depending on people have a phone number, and even more one that is widely supported (which my current numbers are not) is simply wrong.
Sure i could call my bank one a month to change my telephone number, which i loose control of shortly after that (only valid for a few months, prepaid). This is hardly a solution.
On the other side i control my email address, my private key, my home address to a degree, but never my telephone number.
In 2008 I moved to Japan from The Netherlands for a year as a graduate student. I didn't want to bother with my Dutch phone number there, so I looked for alternatives. My bank uses one time codes that are normally sent to you via SMS when you perform a transaction. These can also be pregenerated and sent to you via mail. The online banking environment simply asks me to enter code number x.
I never changed back, so now I receive a new sheet of numbered codes whenever I've used a certain number of them. Nowadays I scan this sheet of codes, run an OCR task, and import the codes in my password manager¹. So when the bank asks for code 519:
pass -c bank/ing/tan/519
And I have the code on my clipboard.
I wonder how long ING (my bank) will allow this method to exist… The alternative used by Dutch banks is a small token generating device they provide to all customers (I think only ING mentioned above doesn't do this yet). This requires no phone number either, just the (tiny) physical device.
I wonder what happens if I tell my bank that I no longer have a phone number I can be reached at?
Same. I also use paper tan right now and one bank account which i have to call if i want something (which i dont care much about, because its not ment to be accessed anyway) but yeah its just a question of time the bank does not send out TANs anymore.
My bank (or both of them) had no solution when i told them that i dont plan on having a phone number anymore. The one accepted it that they cant call me and send paper TANs, the other did not do paper tans for a few years now.
Btw: Your solution to store them sounds nice. Probably gonna adapt that
Here in Germany we get a Digipass 2FA device from our bank (something like this [0]). For every transaction, you put your banking card in, hold it up to the flashing pattern on the screen, and it creates a TAN for you. Very convenient and secure.
I thought this is more common in Europe, but apparently it's not? Although, our banks are increasingly pushing towards App-based 2FA because it's cheaper.. but I'm very confident they'll continue to support as it is the common way to do online banking.
UK here, quite a few banks have used calculator style[0] devices for 2FA. You insert your chip card, enter the PIN and receive a code. The devices themselves, while branded, seem identical across banks and accounts (I can use one I got from bank A for bank B and vice versa).
Banks now have introduced app based versions of the above, useful if you've not got the calculator or your card handy, but I don't believe they're looking to phase out the physical device just yet.
Seems similar to your device, but instead of an optical sensor to receive a code from the web browser you enter the account code and money amount of a transfer manually.
One of my banks does this, paper TAN is more confident for me as i dont have to carry a additional device and worry about driver support. But i surely will change to that as soon paper tan is over.
The other bank only offers different phone based solutions. Clearly my fault for not checking first, and also not a issue for me as i dont actually access that account.
If i could use that with other websites, Twitter, Github, whatever, i would happily carry that device with me :)
> My point is that depending on people have a phone number, and even more one that is widely supported (which my current numbers are not) is simply wrong.
Maybe the bank is not interested in serving people like you - and why should they be? A bank needs to be able to loan money to fulfil its function - everything else they do is about enabling the loan business. To be able to make loans they need to be able to have some hope of being repaid, so they need a reliable way of contacting someone tied to that person's identity and expensive to mess with. Emails are ignorable and untraceable. Home address fulfils those functions but isn't really practical as a sole means of contact - would you like them to place suspicions transactions on hold while they send you a letter and wait for your reply?
As mentioned in some other comment my bank was a bad point, i see why its more relevant for banking. While one of my banks is perfectly happy with what i am doing and offers me paper TANs and contacts me via letters the other isnt.
I am more about everything else than banking tho. Things that dont have the need to contact me ASAP and still use SMS for authentification purposes. (Personally i dont even mind verification, i have a number, just not for long)
Sure i could call my bank one a month to change my telephone number, which i loose control of shortly after that (only valid for a few months, prepaid). This is hardly a solution.
I don't get it, why are your prepaid cars only valid for a few months? Do people just lose their number regularly?
Around here you can get a prepaid SIM, and you only need to make a single call per six months to keep it active. Even an initial 10€ payment is enough for years of service. Can't you get the same in Switzerland?
Thats a very cool idea actually. Would depend on not changing my phone or resetting it and forget about it so probably faulty, but i keep that in mind.
Go to VOIP.ms set up a number for $1/mo. So 12/year. Have it forward to your number. Use it for verification as well. It supports SMS, though I have found some services won't allow it.
Which i control even less... I dont doubt there are solutions, but the only one i've seen so far that is kind of optimal is Github which allows me to disable lost 2fa access through verifying with a git push like command based on public/private key.
I don't know what control means to you. You mean stuff that you don't have to pay for? Stuff that can't be taken away from you? I have had the same number with VOIP.ms for 5 years. Even used it from Mexico. It does not seem to me to be out of my control.
Control means i own it. You never own telephone numbers, maybe you do in some countries i dont know, but they usual contract is that you rent them and they can be taken away from you anytime. Sure they usually dont, but building a security system on something like that is obviously suboptimal.
Not sure I understand the difference between renting a telephone number and renting a domain, or email address, or even a home address. All can be taken away for various reasons, failure to pay rent/renewal/mortgage, legal confiscations, etc.
According to my telephone contract it can be taken at any time and i am not entitled to my telephone number. This is something you dont find with domains.
They can take your domain away, for example, if you fail to respond to an inquiry regarding invalid contact info. Anyone can initiate one of those inquiries. And, of course, there's the various domain name dispute policies at ICANN.
I just checked for details. So far as i can tell its a long, costly and usually failing process to get a domain taken. VS. Just a random thought by a single entity to get your phone number taken.
The point is to slow down attacks. The point is not that it's fool proof. I always see 2FA as not a way to secure your account. More like a way to mitigate illegitimate attacks from 3rd parties and script kiddies. So they can't get in to 100s if not thousands of accounts all of the sudden.
This hits me too because I travel a lot.
Try installing Signal on your phone when your only connection to the world is over WiFi. Try getting an SMS when you're not on a compatible network. You can't. That doesn't mean I don't have my phone with me. The requirement for a contactable phone number instead of an email address or other message is like pretending that your IP address and your hardware MAC address are the same thing, when they're obviously not. One identifies an actual piece of equipment, and the other is literally just bits on the wind.
Somewhat off-topic, but honest question: In the article the author says that he OWNs his email domains. Is this really possible? In my understanding it's more like you rent the domain name from the registrar, and you need to keep renewing it. My question is (please forgive my ignorance in this matter): what prevents the registrar from some day raising the price for your domain to astronomical values? Maybe some well-funded business has suddenly decided that they want your domain name and they have no problem offering thousands of dollars for it. When the domain name is up for renewal, what prevents the registrar from passing it to the highest bidder?
My point rather was is that they can not take it away from me. My specific registrar only allows themself to invalidate domains for a few days when they contain swear words. I am not entirely sure if they can increase the price while i own it. In fact last time they increased the price it did not affect me because i already owned it but only new registered domains. Even the renew was on the old price.
My domain is actually .ch. I am not entirely sure how this goes, and i highly assume swear words are not what i actually ment. They just reserve their right to invalidate domains a few days in case they are inappropriate (i think that is the exact phrasing they use). This is also true for .eu, .de, .it, .li, .at but i doubt it happens often. Maybe it only refers to using registered trademarks? Dunno
I just tried to look it up. Seems it mostly happens for things like "Trademarksucks" which is afaik illegal (smearing or whatever the law is called) in most of europe.
I do not have a mobile phone, and have run into countless issues with so-called security systems which demand a mobile number, everything from airports to online services like Twitter. It's amazing how many services become unavailable when you have no phone number to provide.
I have a mobile phone number, but it's VoIP and can't receive SMS. That excludes me from many types of services that absolutely want to send an SMS.
Extra bonus, I moved out of my country of origin a few years ago. The Visa card I have from a bank in my country of origin needs 2FA to be used to purchase things on the net. The second factor is a code sent by SMS. Even if I had a phone number that can receive a SMS, the bank won't let me change the configured phone number because they can only accept a phone number in my country of origin. IOW, I barely can use that card.
Welcome to my world. I have to call my mum when i want to spend something on my credit card because she now receives the verification SMS.
Not to mention that i had to lie to them as have a friend from my home country call them (imposing as me) to change the phone number (which is most likely illegal in itself) because they could not accept calls from my current country...
> A phone number is nothing you can just keep. Also i OWN my emails domains. Therefore they are under MY control.
No, no, no.
Just like phone numbers, your domain can be yanked out from under you. In many cases, their are procedures and appeals that can be worked out but realistically, if someone hijacks your DNS, it's over.
To take my domain legally from me there is a complicated procedure involved, its nothing that can just happen from today to tomorrow because a third party wanted it. Which is in fact the case with phone numbers. At least the one i actually read the contract for.
Controlling my DNS is pretty much the same scenario as hacking my phone. Both can happen, both dont have to happen.
Edit:// I checked, taking my Domain from me if data is correct and i pay is close to impossible, costly and takes forever. This is really far from beeing the same as with a phone number
In the UK mobile networks are required to offer number portability[1].
I don't know if that means a mobile network can take your number away, but just like managing the registrar on a domain, you can manage the portability of your number.
You can in most countries as far as i know. But in my example i quit my account (so made it prepaid essentially) and lost the SIM card, which means i lost my account forever. Now it waits for the simcard to invalidate and then will most likely sell the number again. It was a "easy number" (as in people remember that number after telling them once) so i assume it will be resold rather fast.
But just because you can does not mean people want that. Before it became normal to auth everywhere with phone numbers i happily changed my number yearly.
You'd be surprised. Number portability is a big pain in the arse for us (determining the network from an MSISDN is important in my industry) so it's always a nice bonus when we come across countries without it.
This is a really interesting example! Thank you, i obviously only thought about my rather small digitalnomad bubble & issues. But this is a good example for the same problem on a much bigger scale.
Once again it shows you cant just close your eyes and judge from yourself to others.
I've got an odd issue with a Google mail account. That has no email or phone number associated with it. On my main laptop, I can access the account with username and password, on another computer, I'm locked out - because of security checks. The credentials don't matter. Which really bothers me. I'm effectively locked out the account.
Yeah, that can happen, it's one of the reasons why I don't recommend Google accounts anymore. Hardware/software factors ("new devices"...) trigger their automatic security checks and can easily lock you out of your account, even if you did nothing wrong.
Big providers are more and more tailoring to the lowest common denominator (people who can't manage passwords, get malware...) and pushing for mobile authentication.
So if you're someone who can manage passwords and is willing to accept responsibility, you get annoyed at best and locked out of your account at worst.
I agree its stupid, but it personally gives me a good feel about their security as well. I rather trust my gmail account than my phone.
The "trick" is to never change your laptop/desktop and phone at once so you can always verify the other. At best, if you travel, have a old computer somewhere that someone else can access to verify when needed.
Its not perfect, and i still have bad dreams about loosing access and no googler ever going to help me. But on the other side when someone accesses my account somehow, i know nothing happens and they get locked out.
I move country and change internet regularly, and i am glad this is not a reason to lock my account like with many providers who have less advanced tactics.
Are you using long, automatically generated passwords? I've had two very similar Google accounts that I log in at the same time on PCs, and one account with a 15 char password kept wanting additional checks. It stopped when I changed the password to 16 chars.
As someone who changes phone numbers periodically, I couldn't agree more. The worst part is all the services who use it as the only identifier. Services like WhatsApp, Signal, etc should AT LEAST offer an alternative means of identification, be it a user-chosen handle or an email address.
Don't they use phone numbers exactly because they are hard to get/change.
A phone number, at least in the UK, means you've been pre-verified in some way - users can't in general generate new phone numbers like they can email addresses.
Thus, less problems with anonymous users (eg trolling, spamming) and less abuse from named users as they can usually be traced using the phone number.
>A phone number, at least in the UK, means you've been pre-verified in some way
This seemed interesting to me, so I tried signing up for a UK voip number at the sipgate.co.uk site. They do ask for an address, but they accept anything valid, like the address of a university. Had a 056-0003 XXXX phone number in less than a minute.
I travel a lot and in many countries a prepaid SIM (which will expire after as little as a month without use or top-up) is the cheapest way to go.
Most countries are moving towards requiring identification before activating a SIM card, like you say.
For example in Vietnam, this has only become a thing in the past month or so and it is not enforced in practice in many unaffiliated corner stores. Last month, I just walked into a corner store paid a couple of bucks to get a preactivated SIM card with a couple of GB in two minutes.
Google does let you have 2 factor setup without a phone number as a factor, but strangely you need a phone number temporarily. You add the phone number as a factor, then add other factors (such as Google Authenticator and Yubikeys) then delete the phone number.
> Google does let you have 2 factor setup without a phone number as a factor, but strangely you need a phone number temporarily.
I finally set up 2FA on my Google account this weekend.
It struck me as incredibly odd that Google requires a phone number to enable 2FA. NIST recently advocated against using SMS for OoB auth. [0]
If I had been an account hijacker with the password (e.g. obtained via phishing) it would have been ludicrously simple for me to enable 2FA on someone else's account.
I don't understand, I already have an Android phone with Google Play Services installed. Why isn't pressing "Okay" on my phone sufficient? It's certainly not any more insecure than an SMS.
What I view as even worse is on the first attempt the SMS didn't go through, so I asked Google to give me a call. Evidently my provider blocks whatever number they're using to call out of, so my phone never rang. But Google left the verification code anyway, AS A VOICEMAIL!
My inner tin foil hat says Google wants a phone number for other purposes.
> My inner tin foil hat says Google wants a phone number for other purposes.
Just like Twitter these days. "Telephone number is optional and for your security". 2 minutes later my new accounts are always locked and i need to provide a telephone number to enable it again. They used SMS until recently, now they use a call service which only works with a fraction of numbers. (Tried 2 thai, 1 cambodian number, none accepted)
I seriously dont get what they are trying to do other than creating a database of telephone numbers and locking users in third world countries out.
Also agree with that Google actually knows enough to just verifiy it based on my phone. Telephone number is not necessary, especially i "verified" my account in the past with a phone call, why again?
Steam does this as well. Even if you add your phone number after a lot of nagging, Steam still keeps bothering you to install their Android or IOS authenticator software (even if you can't). I wish Steam would consider Fido U2F as well, but getting through to anyone who can influence this at Valve is nigh impossible.
It seems to be the industry status quo now to assume that everyone uses a smartphone running either Android or IOS, and that everyone wants to use that device for authentication. Meanwhile the tech giants (especially those involved in advertising) probably like having that nice unique alphanumerical identifier for your profile — it tends to be the same for all services you use.
I really hope Fido U2F becomes a de facto alternative for 2FA.
Yeah, I just ran into something similar a few days ago. Every once in a while I used to go through all my trading cards and bulk sell all my duplicates for a few cents each, but apparently now they require you to use some combination of SMS and mobile app authentication to post anything on the market. Clicking through the confirmation email they send you isn't enough on its own.
So now I just don't bother with trading cards at all.
My experience exactly. I used to sell those silly cards the moment I got them, just to get a little extra balance in my Steam account for the next purchase. Now I just ignore them; selling them is way to much of a hassle to be worth the €0,05 you get for a card. (Who buys those things anyway? Weird market.)
Steam, at least, does not seem to have a issue sending me emails. Sure it annoys me to use their app or whatever, but i can choose to only receive emails. Which is really all i actually want :)
It's protection against bulk account creation. Getting a phone number costs money, so requiring a phone number makes it expensive to get 1000 accounts.
Phones are ubiquitous enough that very few customers have to pay this cost.
Obviously, this reasoning doesn't (and shouldn't) extend to using phones for authentication.
Yeah, after writing the article i also realized i dont mind verification actually. As long as they support whatever carrier i currently have. Its authentification that i bother with. (As in i have a phone number, i want internet on my phone, but i change it often monthly)
Also services like Twitter that allow any rented SMS service and multiple accounts for each number this seems not be the reason why they ask for a number.
"My inner tin foil hat says Google wants a phone number for other purposes."
"I already have an Android phone with Google Play Services installed."
Guess what - Google already has your phone number before asking for it via the 2FA form. My guess is that the reason they have one platform-independent process for setting up 2FA is for iOS users.
> Guess what - Google already has your phone number before asking for it via the 2FA form. My guess is that the reason they have one platform-independent process for setting up 2FA is for iOS users.
Only if the phone number is the same one I use for my Android phone. But yes, I realize that any SIM I put into my phone will also be known by Google.
It's just an incredibly shit onboarding method. They already have a more secure way than SMS to determine the account owner, so why not offer it as an option?
Can you even create a working Google account without a phone number? When I last tried that, it seemed to be mandatory from the start.
It never seemed to be a security measure, but an anti-spam measure. You can buy captcha solving as a service for fractions of a cent, and bulk create thousands of accounts for sending spam. Buying working phone numbers is more hassle and more expensive, and will leave a payment trail if you use a service like Twilio.
You can, but it's not obvious that it's an option. I'd be willing to bet that the signup UI was deliberately designed to make it look like a phone number is required.
This is new to me thank you. I am a little afraid of locking myself out so i am hesitate to just try it, i will read into it and give it a try. Seriously thanks.
For one I like to opt out of phone based 2fa whenever possible. It is just inconvenient as demonstrated in the post without any upside really. Most of the time it actually prevents me from doing things. Lose/forget your phone and you are in a very bad position. I'm satisfied with a secure password, thanks.
But organisations like banks need to have systems that adequately balance security, usability and ubiquity, and it turns out that phone number authentication is optimal across those criteria.
Of course it's not perfect, but empirically it works better than the alternatives (otherwise they'd already have changed it), so we're stuck with it, no matter how much it might frustrate the likes of you and me.
I'm finally old enough to realise that for certain things, like banking, the world is better off that way, else it would would descend into chaos (even more than it already has), and nobody would be able to get anything done.
And maybe it's only possible for people like us to get away with existing on the fringes thanks to the fact that most people are keeping society going by getting things done, and for that reason it's perhaps justifiable that for things like this it's up to us to find a way to fit in with their ways of doing things.