But organisations like banks need to have systems that adequately balance security, usability and ubiquity, and it turns out that phone number authentication is optimal across those criteria.
Of course it's not perfect, but empirically it works better than the alternatives (otherwise they'd already have changed it), so we're stuck with it, no matter how much it might frustrate the likes of you and me.
I'm finally old enough to realise that for certain things, like banking, the world is better off that way, else it would would descend into chaos (even more than it already has), and nobody would be able to get anything done.
And maybe it's only possible for people like us to get away with existing on the fringes thanks to the fact that most people are keeping society going by getting things done, and for that reason it's perhaps justifiable that for things like this it's up to us to find a way to fit in with their ways of doing things.
One of my banks offers the following 2 alternatives:
* Paper TAN (which most likely will go away in the next years)
* Card reader that scans your EC card
Both completely valid for my situation, my other bank does none of both. Both however are completely valid just not as confidient for the bank i guess.
My whole point is having alternatives, or at least a workflow to fix this issue for people who do not have a fixed phone number (anymore). Its sucks to have way less security as everybody else (because i cant enable 2FA) when email was always there and pretty much just as good. It sucks even more to not be able to create a account because somehow they dont want your current number (I mean how crazy is that that you can not make a Twitter account with one of the most popular Thai providers? How is that not a huge issue?)
But for every new system/feature/mechanism a service provider builds to accommodate every increasingly narrow edge-case, there's a huge additional cost and commitment in development, maintenance and support.
So the reality is it just comes down to dollars. If you're in the mainstream, you'll be looked after. If you're in the fringes, well, you're in the situation you're in now. That's how the world works.
Whilst complaining might help you to feel better, it's not going to change much unless there are big dollars at stake for the service provider.
And for google if you have multiple people using the same google accounts which you would do for many google services 2FA can really mess you up eg if I WFH I cant login to some of our GA GTM and GSC accounts.
The telephony system relies on that being the case, which is why it has the nice byproduct of being an identity verification channel for banks and other service providers.
So it doesn't matter who strictly 'owns' the phone number. What matters is that it can be relied on to be linked to a given person over an extended period of time, which it usually is, which is why the system usually works. And when it doesn't work, a fallback process is available, which makes the system work even better. So all's good!
It's easy to point out ways in which the system fails in all kinds of scenarios where people don't/can't fit in with the way the system is designed, but it's ultimately futile.
Service providers will run their system in whatever way is secure enough and usable enough for enough of their customers to be satisfied to stay as customers. There's really nothing more to say about it!
Why would you do this? Whether personal or work related, Google has always said to keep accounts tied to an individual.
Do you really believe that? I was just reading someone comment's on Reddit yesterday about him working for a bank that only recently stopped working with credit card number transfers in the clear...
Some if not most of the banks just use ancient technology for the same reason most other big corporations do - they don't really "get" the security "value" so they don't bother to invest hundreds of millions of dollars in new infrastructure.
"Don't bother to invest" could be a cynical way of saying they can't justify the financial cost, personnel commitment, organisational upheaval and multi-dimensional risk to adopt the new infrastructure.
But it's not as if they're sitting around doing nothing; all the banks have vast teams of people constantly maintaining and improving their software and infrastructure, doing whatever is necessary to minimise losses and maximise gains.
Those who don't do it enough or do it right go out of business.
I don't get the distinction the author is trying to make: if you stop paying the renewal fees for them you'll find you "own" those domains exactly as much as you "own" a phone number.
Sure it is not _mine_ ether. But it is more mine than a phone number ever will be.
Edit:// I tried to look it up, except trademark stuff (and even then its not easy) i dont see any reason a domain could be taken away from the renter while beeing paid for.
Which makes sense, they dont have, for some reason, keep me as client if they dont want to.
So given a choice I'd rely on my email address more than "my" phone number.
Taking away a domain is a costly, long and usually failing process.
Sure i need to pay for both
I agree that i worded that badly tho
source please, including your registrar's TOS
Or even which someone linked below (to refute my claims)
They also have the "remove anytime thing" but they warn you and give you 30 days to move your domains. So if they decide to close my account, they dont take my domains.
The whole telephony system relies on people keeping the same phone number.
Individuals and families rely on it as a most basic necessity. Businesses invest vast sums of money promoting awareness of their phone number.
If telco providers went around taking people's phone numbers away without very good reason, there'd be uproar, and the telco system (and indeed, to some degree, the economy), would cease to work.
I never heard of anyone got his number taken when they paid the fee. I highly assume most companies never done that actually.
Edit:// Its not actually the point tho, it is just a (obviously not that well) argument for my point
In the US, you certainly can keep a phone number. You can take it from one telecom service provider to another. But you do indeed have to keep paying your bill to maintain this ability.
Getting a new phone number set up is time consuming, even with a Twilio-like service. This is a good thing. Your IMEI number isn't portable, and until there is a physical token on your phone that is also portable, a phone number is the next best option.
Sure i could call my bank one a month to change my telephone number, which i loose control of shortly after that (only valid for a few months, prepaid). This is hardly a solution.
On the other side i control my email address, my private key, my home address to a degree, but never my telephone number.
I never changed back, so now I receive a new sheet of numbered codes whenever I've used a certain number of them. Nowadays I scan this sheet of codes, run an OCR task, and import the codes in my password manager¹. So when the bank asks for code 519:
pass -c bank/ing/tan/519
I wonder how long ING (my bank) will allow this method to exist… The alternative used by Dutch banks is a small token generating device they provide to all customers (I think only ING mentioned above doesn't do this yet). This requires no phone number either, just the (tiny) physical device.
I wonder what happens if I tell my bank that I no longer have a phone number I can be reached at?
My bank (or both of them) had no solution when i told them that i dont plan on having a phone number anymore. The one accepted it that they cant call me and send paper TANs, the other did not do paper tans for a few years now.
Btw: Your solution to store them sounds nice. Probably gonna adapt that
I thought this is more common in Europe, but apparently it's not? Although, our banks are increasingly pushing towards App-based 2FA because it's cheaper.. but I'm very confident they'll continue to support as it is the common way to do online banking.
Banks now have introduced app based versions of the above, useful if you've not got the calculator or your card handy, but I don't believe they're looking to phase out the physical device just yet.
Seems similar to your device, but instead of an optical sensor to receive a code from the web browser you enter the account code and money amount of a transfer manually.
The other bank only offers different phone based solutions. Clearly my fault for not checking first, and also not a issue for me as i dont actually access that account.
If i could use that with other websites, Twitter, Github, whatever, i would happily carry that device with me :)
It is. Most of the other Dutch banks do use such a device (I haven't seen devices that try to read your screen yet though).
Maybe the bank is not interested in serving people like you - and why should they be? A bank needs to be able to loan money to fulfil its function - everything else they do is about enabling the loan business. To be able to make loans they need to be able to have some hope of being repaid, so they need a reliable way of contacting someone tied to that person's identity and expensive to mess with. Emails are ignorable and untraceable. Home address fulfils those functions but isn't really practical as a sole means of contact - would you like them to place suspicions transactions on hold while they send you a letter and wait for your reply?
I am more about everything else than banking tho. Things that dont have the need to contact me ASAP and still use SMS for authentification purposes. (Personally i dont even mind verification, i have a number, just not for long)
There's a link for if I authorized it and a link for if I didnt.
In fact, basically everything my bank does is by email, except a few legal documents amd sending replacement cards, which are by mail.
I cant count the number of times they called me on a single hand.
I don't get it, why are your prepaid cars only valid for a few months? Do people just lose their number regularly?
Around here you can get a prepaid SIM, and you only need to make a single call per six months to keep it active. Even an initial 10€ payment is enough for years of service. Can't you get the same in Switzerland?
Also as mentioned i cant get it again, prepaid is kind of contract less. If i loose the sim i am not entitled to get the same number again.
There's not a lot of genuine security or legal analysis to be found here.
Get a fixed telephone number.
My point rather was is that they can not take it away from me. My specific registrar only allows themself to invalidate domains for a few days when they contain swear words. I am not entirely sure if they can increase the price while i own it. In fact last time they increased the price it did not affect me because i already owned it but only new registered domains. Even the renew was on the old price.
From your other posts, I gather you live in south-east asia, so I guess it's a local domain.
I just tried to look it up. Seems it mostly happens for things like "Trademarksucks" which is afaik illegal (smearing or whatever the law is called) in most of europe.
I do not have a mobile phone, and have run into countless issues with so-called security systems which demand a mobile number, everything from airports to online services like Twitter. It's amazing how many services become unavailable when you have no phone number to provide.
Extra bonus, I moved out of my country of origin a few years ago. The Visa card I have from a bank in my country of origin needs 2FA to be used to purchase things on the net. The second factor is a code sent by SMS. Even if I had a phone number that can receive a SMS, the bank won't let me change the configured phone number because they can only accept a phone number in my country of origin. IOW, I barely can use that card.
Not to mention that i had to lie to them as have a friend from my home country call them (imposing as me) to change the phone number (which is most likely illegal in itself) because they could not accept calls from my current country...
I managed to persuade one employee to change the attached cellphone number to my temporary american one, but they initially didn't think it work.
It was a great day when I got access to my money again.
> A phone number is nothing you can just keep. Also i OWN my emails domains. Therefore they are under MY control.
No, no, no.
Just like phone numbers, your domain can be yanked out from under you. In many cases, their are procedures and appeals that can be worked out but realistically, if someone hijacks your DNS, it's over.
Controlling my DNS is pretty much the same scenario as hacking my phone. Both can happen, both dont have to happen.
Edit:// I checked, taking my Domain from me if data is correct and i pay is close to impossible, costly and takes forever. This is really far from beeing the same as with a phone number
I don't know if that means a mobile network can take your number away, but just like managing the registrar on a domain, you can manage the portability of your number.
But just because you can does not mean people want that. Before it became normal to auth everywhere with phone numbers i happily changed my number yearly.
Most recently, Philippines: http://www.prefix.ph/smart-users/updated-philippine-mobile-p...
Once again it shows you cant just close your eyes and judge from yourself to others.
I don't really care for a telephone either.
Big providers are more and more tailoring to the lowest common denominator (people who can't manage passwords, get malware...) and pushing for mobile authentication.
So if you're someone who can manage passwords and is willing to accept responsibility, you get annoyed at best and locked out of your account at worst.
The "trick" is to never change your laptop/desktop and phone at once so you can always verify the other. At best, if you travel, have a old computer somewhere that someone else can access to verify when needed.
Its not perfect, and i still have bad dreams about loosing access and no googler ever going to help me. But on the other side when someone accesses my account somehow, i know nothing happens and they get locked out.
I move country and change internet regularly, and i am glad this is not a reason to lock my account like with many providers who have less advanced tactics.
A phone number, at least in the UK, means you've been pre-verified in some way - users can't in general generate new phone numbers like they can email addresses.
Thus, less problems with anonymous users (eg trolling, spamming) and less abuse from named users as they can usually be traced using the phone number.
This seemed interesting to me, so I tried signing up for a UK voip number at the sipgate.co.uk site. They do ask for an address, but they accept anything valid, like the address of a university. Had a 056-0003 XXXX phone number in less than a minute.
Most countries are moving towards requiring identification before activating a SIM card, like you say.
For example in Vietnam, this has only become a thing in the past month or so and it is not enforced in practice in many unaffiliated corner stores. Last month, I just walked into a corner store paid a couple of bucks to get a preactivated SIM card with a couple of GB in two minutes.
I finally set up 2FA on my Google account this weekend.
It struck me as incredibly odd that Google requires a phone number to enable 2FA. NIST recently advocated against using SMS for OoB auth. 
If I had been an account hijacker with the password (e.g. obtained via phishing) it would have been ludicrously simple for me to enable 2FA on someone else's account.
I don't understand, I already have an Android phone with Google Play Services installed. Why isn't pressing "Okay" on my phone sufficient? It's certainly not any more insecure than an SMS.
What I view as even worse is on the first attempt the SMS didn't go through, so I asked Google to give me a call. Evidently my provider blocks whatever number they're using to call out of, so my phone never rang. But Google left the verification code anyway, AS A VOICEMAIL!
My inner tin foil hat says Google wants a phone number for other purposes.
Just like Twitter these days. "Telephone number is optional and for your security". 2 minutes later my new accounts are always locked and i need to provide a telephone number to enable it again. They used SMS until recently, now they use a call service which only works with a fraction of numbers. (Tried 2 thai, 1 cambodian number, none accepted)
I seriously dont get what they are trying to do other than creating a database of telephone numbers and locking users in third world countries out.
Also agree with that Google actually knows enough to just verifiy it based on my phone. Telephone number is not necessary, especially i "verified" my account in the past with a phone call, why again?
It seems to be the industry status quo now to assume that everyone uses a smartphone running either Android or IOS, and that everyone wants to use that device for authentication. Meanwhile the tech giants (especially those involved in advertising) probably like having that nice unique alphanumerical identifier for your profile — it tends to be the same for all services you use.
I really hope Fido U2F becomes a de facto alternative for 2FA.
So now I just don't bother with trading cards at all.
But i agree on everything said
Phones are ubiquitous enough that very few customers have to pay this cost.
Obviously, this reasoning doesn't (and shouldn't) extend to using phones for authentication.
Also services like Twitter that allow any rented SMS service and multiple accounts for each number this seems not be the reason why they ask for a number.
"I already have an Android phone with Google Play Services installed."
Guess what - Google already has your phone number before asking for it via the 2FA form. My guess is that the reason they have one platform-independent process for setting up 2FA is for iOS users.
Only if the phone number is the same one I use for my Android phone. But yes, I realize that any SIM I put into my phone will also be known by Google.
It's just an incredibly shit onboarding method. They already have a more secure way than SMS to determine the account owner, so why not offer it as an option?
It never seemed to be a security measure, but an anti-spam measure. You can buy captcha solving as a service for fractions of a cent, and bulk create thousands of accounts for sending spam. Buying working phone numbers is more hassle and more expensive, and will leave a payment trail if you use a service like Twilio.