Hacker News new | past | comments | ask | show | jobs | submit login
Phone numbers are not proper verification (b1nary.ch)
109 points by herbst on Jan 16, 2017 | hide | past | web | favorite | 155 comments

I know life can be frustrating when you don't fit the conventional profile. It's been the same for me.

But organisations like banks need to have systems that adequately balance security, usability and ubiquity, and it turns out that phone number authentication is optimal across those criteria.

Of course it's not perfect, but empirically it works better than the alternatives (otherwise they'd already have changed it), so we're stuck with it, no matter how much it might frustrate the likes of you and me.

I'm finally old enough to realise that for certain things, like banking, the world is better off that way, else it would would descend into chaos (even more than it already has), and nobody would be able to get anything done.

And maybe it's only possible for people like us to get away with existing on the fringes thanks to the fact that most people are keeping society going by getting things done, and for that reason it's perhaps justifiable that for things like this it's up to us to find a way to fit in with their ways of doing things.

I shouldnt have mentioned banking, it seems that this is what most people agree with that numbers make sense. And hence i agree to that as well.

One of my banks offers the following 2 alternatives:

* Paper TAN (which most likely will go away in the next years)

* Card reader that scans your EC card

Both completely valid for my situation, my other bank does none of both. Both however are completely valid just not as confidient for the bank i guess.

My whole point is having alternatives, or at least a workflow to fix this issue for people who do not have a fixed phone number (anymore). Its sucks to have way less security as everybody else (because i cant enable 2FA) when email was always there and pretty much just as good. It sucks even more to not be able to create a account because somehow they dont want your current number (I mean how crazy is that that you can not make a Twitter account with one of the most popular Thai providers? How is that not a huge issue?)

Yeah, I get what you're saying.

But for every new system/feature/mechanism a service provider builds to accommodate every increasingly narrow edge-case, there's a huge additional cost and commitment in development, maintenance and support.

So the reality is it just comes down to dollars. If you're in the mainstream, you'll be looked after. If you're in the fringes, well, you're in the situation you're in now. That's how the world works.

Whilst complaining might help you to feel better, it's not going to change much unless there are big dollars at stake for the service provider.

I agree for the most part, but i also hope that my rant helps to put this thought into peoples heads. With several smaller providers i had to talk to when i lost my number it became clear they simply did not spend a single thought on this edge case yet. Some of them now have a workflow to solve this cases, which is really all i am asking for.

But the OP does have a point that you don't own the phone number your countries PTT or Regulator does.

And for google if you have multiple people using the same google accounts which you would do for many google services 2FA can really mess you up eg if I WFH I cant login to some of our GA GTM and GSC accounts.

The vast majority of people keep the same phone number for a long period of time; at least a few years in most cases, and several decades in some cases.

The telephony system relies on that being the case, which is why it has the nice byproduct of being an identity verification channel for banks and other service providers.

So it doesn't matter who strictly 'owns' the phone number. What matters is that it can be relied on to be linked to a given person over an extended period of time, which it usually is, which is why the system usually works. And when it doesn't work, a fallback process is available, which makes the system work even better. So all's good!

It's easy to point out ways in which the system fails in all kinds of scenarios where people don't/can't fit in with the way the system is designed, but it's ultimately futile.

Service providers will run their system in whatever way is secure enough and usable enough for enough of their customers to be satisfied to stay as customers. There's really nothing more to say about it!

> multiple people using the same google accounts

Why would you do this? Whether personal or work related, Google has always said to keep accounts tied to an individual.

Team managing a GA account for a client. Which is not uncommon for internet marketing companies.

exactly any non trivial site that uses google products will have accounts used by multiple people one person doesn't run all of proctor and gambles PPC

I keep multiple gmail for each purpose.

> otherwise they'd already have changed it

Do you really believe that? I was just reading someone comment's on Reddit yesterday about him working for a bank that only recently stopped working with credit card number transfers in the clear...

Some if not most of the banks just use ancient technology for the same reason most other big corporations do - they don't really "get" the security "value" so they don't bother to invest hundreds of millions of dollars in new infrastructure.

I'm also old enough to realise that patterns of conduct across global industries like this, don't emerge for purely dumb reasons.

"Don't bother to invest" could be a cynical way of saying they can't justify the financial cost, personnel commitment, organisational upheaval and multi-dimensional risk to adopt the new infrastructure.

But it's not as if they're sitting around doing nothing; all the banks have vast teams of people constantly maintaining and improving their software and infrastructure, doing whatever is necessary to minimise losses and maximise gains.

Those who don't do it enough or do it right go out of business.

"A phone number is nothing you can just keep. Also i OWN my emails domains."

I don't get the distinction the author is trying to make: if you stop paying the renewal fees for them you'll find you "own" those domains exactly as much as you "own" a phone number.

Having a phone number and a domain actually have way more similarities than I think this guy wants to say. You don't own your domain, your registrar does and you are leasing it. Sure, generally you go year to year instead of month to month, but in the end you don't own your domain either. And it's way easier for someone to target you.

I dont know about other countries, carriers or contracts. But my contract clearly stated that my phone provider can cancel the account anytime without prior notice if they think that is necessary. Its a typical piece of text you find in many service based business contracts. I dont claim to know what exactly this means, but it surely is a difference to having to sue me for a valid reason to be allowed to take over my domain. A process that not only takes a while but also has several prior warnings.

Sure it is not _mine_ ether. But it is more mine than a phone number ever will be.

Edit:// I tried to look it up, except trademark stuff (and even then its not easy) i dont see any reason a domain could be taken away from the renter while beeing paid for.

Looking at the Namecheap TOS[1], it says they can terminate you at any time.


You are twisting reality here. It says they warn me 30 days prior and if i do not move my domains until then they will terminate it.

Which makes sense, they dont have, for some reason, keep me as client if they dont want to.

I missed that part; that's my bad.

The essential difference though is that mobile carriers are less trustworthy than the most trustworthy domain registrars. Plus mobile networks are usually controlled by a single authority in each country, whereas the Internet and its domain name system is a bit more democratic. It's all relative of course, but still.

So given a choice I'd rely on my email address more than "my" phone number.

My phone contract clearly stated that the contract can be cancelled anytime by the provider without prior notice.

Taking away a domain is a costly, long and usually failing process.

Sure i need to pay for both

I agree that i worded that badly tho

> Taking away a domain is a costly, long and usually failing process.

source please, including your registrar's TOS


Or even which someone linked below (to refute my claims)


They also have the "remove anytime thing" but they warn you and give you 30 days to move your domains. So if they decide to close my account, they dont take my domains.

There may be a difference in contractual terms, but without much of a difference in substance.

The whole telephony system relies on people keeping the same phone number.

Individuals and families rely on it as a most basic necessity. Businesses invest vast sums of money promoting awareness of their phone number.

If telco providers went around taking people's phone numbers away without very good reason, there'd be uproar, and the telco system (and indeed, to some degree, the economy), would cease to work.

I think i said this multiple times in this thread (and probably even in the article, not sure) but i am fully aware how unlikely this is. I just used it as additional argument that now many used to pick on.

I never heard of anyone got his number taken when they paid the fee. I highly assume most companies never done that actually.

Edit:// Its not actually the point tho, it is just a (obviously not that well) argument for my point

"A phone number is nothing you can just keep."

In the US, you certainly can keep a phone number. You can take it from one telecom service provider to another. But you do indeed have to keep paying your bill to maintain this ability.

This rant is exactly why phone numbers are a good way to do two-factor. The author lost control of their phone number ("as i quit the account shortly...") and subsequently had an extremely hard time authenticating to their bank, Google, Twitter, etc.

Getting a new phone number set up is time consuming, even with a Twilio-like service. This is a good thing. Your IMEI number isn't portable, and until there is a physical token on your phone that is also portable, a phone number is the next best option.

Author here. I dont have a fixed telephone number anymore. How to handle that? I dont see why i would need one except for authentification purposes ether. My point is that depending on people have a phone number, and even more one that is widely supported (which my current numbers are not) is simply wrong.

Sure i could call my bank one a month to change my telephone number, which i loose control of shortly after that (only valid for a few months, prepaid). This is hardly a solution.

On the other side i control my email address, my private key, my home address to a degree, but never my telephone number.

In 2008 I moved to Japan from The Netherlands for a year as a graduate student. I didn't want to bother with my Dutch phone number there, so I looked for alternatives. My bank uses one time codes that are normally sent to you via SMS when you perform a transaction. These can also be pregenerated and sent to you via mail. The online banking environment simply asks me to enter code number x.

I never changed back, so now I receive a new sheet of numbered codes whenever I've used a certain number of them. Nowadays I scan this sheet of codes, run an OCR task, and import the codes in my password manager¹. So when the bank asks for code 519:

    pass -c bank/ing/tan/519
And I have the code on my clipboard.

I wonder how long ING (my bank) will allow this method to exist… The alternative used by Dutch banks is a small token generating device they provide to all customers (I think only ING mentioned above doesn't do this yet). This requires no phone number either, just the (tiny) physical device.

I wonder what happens if I tell my bank that I no longer have a phone number I can be reached at?

1: https://www.passwordstore.org/

Same. I also use paper tan right now and one bank account which i have to call if i want something (which i dont care much about, because its not ment to be accessed anyway) but yeah its just a question of time the bank does not send out TANs anymore.

My bank (or both of them) had no solution when i told them that i dont plan on having a phone number anymore. The one accepted it that they cant call me and send paper TANs, the other did not do paper tans for a few years now.

Btw: Your solution to store them sounds nice. Probably gonna adapt that

Here in Germany we get a Digipass 2FA device from our bank (something like this [0]). For every transaction, you put your banking card in, hold it up to the flashing pattern on the screen, and it creates a TAN for you. Very convenient and secure.

I thought this is more common in Europe, but apparently it's not? Although, our banks are increasingly pushing towards App-based 2FA because it's cheaper.. but I'm very confident they'll continue to support as it is the common way to do online banking.

0: https://www.vasco.com/products/two-factor-authenticators/har...

UK here, quite a few banks have used calculator style[0] devices for 2FA. You insert your chip card, enter the PIN and receive a code. The devices themselves, while branded, seem identical across banks and accounts (I can use one I got from bank A for bank B and vice versa).

Banks now have introduced app based versions of the above, useful if you've not got the calculator or your card handy, but I don't believe they're looking to phase out the physical device just yet.

Seems similar to your device, but instead of an optical sensor to receive a code from the web browser you enter the account code and money amount of a transfer manually.

[0]: https://upload.wikimedia.org/wikipedia/commons/thumb/0/05/Ba...

One of my banks does this, paper TAN is more confident for me as i dont have to carry a additional device and worry about driver support. But i surely will change to that as soon paper tan is over.

The other bank only offers different phone based solutions. Clearly my fault for not checking first, and also not a issue for me as i dont actually access that account.

If i could use that with other websites, Twitter, Github, whatever, i would happily carry that device with me :)

> I thought this is more common in Europe, but apparently it's not?

It is. Most of the other Dutch banks do use such a device (I haven't seen devices that try to read your screen yet though).

The ING smartphone app can now also be used to approve payments (https://www.ing.nl/particulier/mobiel-en-internetbankieren/i...), but that doesn't exactly remove the phone dependency.

> My point is that depending on people have a phone number, and even more one that is widely supported (which my current numbers are not) is simply wrong.

Maybe the bank is not interested in serving people like you - and why should they be? A bank needs to be able to loan money to fulfil its function - everything else they do is about enabling the loan business. To be able to make loans they need to be able to have some hope of being repaid, so they need a reliable way of contacting someone tied to that person's identity and expensive to mess with. Emails are ignorable and untraceable. Home address fulfils those functions but isn't really practical as a sole means of contact - would you like them to place suspicions transactions on hold while they send you a letter and wait for your reply?

As mentioned in some other comment my bank was a bad point, i see why its more relevant for banking. While one of my banks is perfectly happy with what i am doing and offers me paper TANs and contacts me via letters the other isnt.

I am more about everything else than banking tho. Things that dont have the need to contact me ASAP and still use SMS for authentification purposes. (Personally i dont even mind verification, i have a number, just not for long)

My bank emails me about suspicious transactions.

There's a link for if I authorized it and a link for if I didnt.

In fact, basically everything my bank does is by email, except a few legal documents amd sending replacement cards, which are by mail.

I cant count the number of times they called me on a single hand.

Sure i could call my bank one a month to change my telephone number, which i loose control of shortly after that (only valid for a few months, prepaid). This is hardly a solution.

I don't get it, why are your prepaid cars only valid for a few months? Do people just lose their number regularly?

Around here you can get a prepaid SIM, and you only need to make a single call per six months to keep it active. Even an initial 10€ payment is enough for years of service. Can't you get the same in Switzerland?

No thats what i ment. I need to use it within N period to keep it. If i just receive SMS every other month it will die after a while.

Also as mentioned i cant get it again, prepaid is kind of contract less. If i loose the sim i am not entitled to get the same number again.

Could just set a reminder to call someone or an automated service once every period...

Thats a very cool idea actually. Would depend on not changing my phone or resetting it and forget about it so probably faulty, but i keep that in mind.

Go to VOIP.ms set up a number for $1/mo. So 12/year. Have it forward to your number. Use it for verification as well. It supports SMS, though I have found some services won't allow it.

Which i control even less... I dont doubt there are solutions, but the only one i've seen so far that is kind of optimal is Github which allows me to disable lost 2fa access through verifying with a git push like command based on public/private key.

I don't know what control means to you. You mean stuff that you don't have to pay for? Stuff that can't be taken away from you? I have had the same number with VOIP.ms for 5 years. Even used it from Mexico. It does not seem to me to be out of my control.

Control means i own it. You never own telephone numbers, maybe you do in some countries i dont know, but they usual contract is that you rent them and they can be taken away from you anytime. Sure they usually dont, but building a security system on something like that is obviously suboptimal.

Not sure I understand the difference between renting a telephone number and renting a domain, or email address, or even a home address. All can be taken away for various reasons, failure to pay rent/renewal/mortgage, legal confiscations, etc.

As far as I can tell, it's just a whine services don't let you use a preferred rented identity listing (that is arguably less tied to the real world).

There's not a lot of genuine security or legal analysis to be found here.

Some other guy went a bit more into genuine security if thats your thing: https://www.devever.net/~hl/e164

According to my telephone contract it can be taken at any time and i am not entitled to my telephone number. This is something you dont find with domains.

They can take your domain away, for example, if you fail to respond to an inquiry regarding invalid contact info. Anyone can initiate one of those inquiries. And, of course, there's the various domain name dispute policies at ICANN.

I just checked for details. So far as i can tell its a long, costly and usually failing process to get a domain taken. VS. Just a random thought by a single entity to get your phone number taken.

Man in the middle.

The point is to slow down attacks. The point is not that it's fool proof. I always see 2FA as not a way to secure your account. More like a way to mitigate illegitimate attacks from 3rd parties and script kiddies. So they can't get in to 100s if not thousands of accounts all of the sudden.

"I dont have a fixed telephone number anymore. How to handle that?"

Get a fixed telephone number.

Somewhat off-topic, but honest question: In the article the author says that he OWNs his email domains. Is this really possible? In my understanding it's more like you rent the domain name from the registrar, and you need to keep renewing it. My question is (please forgive my ignorance in this matter): what prevents the registrar from some day raising the price for your domain to astronomical values? Maybe some well-funded business has suddenly decided that they want your domain name and they have no problem offering thousands of dollars for it. When the domain name is up for renewal, what prevents the registrar from passing it to the highest bidder?

Author here, this is a valid thought indeed.

My point rather was is that they can not take it away from me. My specific registrar only allows themself to invalidate domains for a few days when they contain swear words. I am not entirely sure if they can increase the price while i own it. In fact last time they increased the price it did not affect me because i already owned it but only new registered domains. Even the renew was on the old price.

A registrar that invalidates domains just for having swear words is bounds beyond what is acceptable here in the west.

From your other posts, I gather you live in south-east asia, so I guess it's a local domain.

My domain is actually .ch. I am not entirely sure how this goes, and i highly assume swear words are not what i actually ment. They just reserve their right to invalidate domains a few days in case they are inappropriate (i think that is the exact phrasing they use). This is also true for .eu, .de, .it, .li, .at but i doubt it happens often. Maybe it only refers to using registered trademarks? Dunno

I just tried to look it up. Seems it mostly happens for things like "Trademarksucks" which is afaik illegal (smearing or whatever the law is called) in most of europe.

Because there is ICANN, and clearly defined policies on domain transfers. These can be reviewed, but it usually doesn't happen without prior warning.

Because you must be able to transfer out.

This hits me too because I travel a lot. Try installing Signal on your phone when your only connection to the world is over WiFi. Try getting an SMS when you're not on a compatible network. You can't. That doesn't mean I don't have my phone with me. The requirement for a contactable phone number instead of an email address or other message is like pretending that your IP address and your hardware MAC address are the same thing, when they're obviously not. One identifies an actual piece of equipment, and the other is literally just bits on the wind.


I do not have a mobile phone, and have run into countless issues with so-called security systems which demand a mobile number, everything from airports to online services like Twitter. It's amazing how many services become unavailable when you have no phone number to provide.

I have a mobile phone number, but it's VoIP and can't receive SMS. That excludes me from many types of services that absolutely want to send an SMS.

Extra bonus, I moved out of my country of origin a few years ago. The Visa card I have from a bank in my country of origin needs 2FA to be used to purchase things on the net. The second factor is a code sent by SMS. Even if I had a phone number that can receive a SMS, the bank won't let me change the configured phone number because they can only accept a phone number in my country of origin. IOW, I barely can use that card.

Welcome to my world. I have to call my mum when i want to spend something on my credit card because she now receives the verification SMS.

Not to mention that i had to lie to them as have a friend from my home country call them (imposing as me) to change the phone number (which is most likely illegal in itself) because they could not accept calls from my current country...

I was an exchange student in CA for a year. During my year, I had to interact with my very local and small bank in Norway.

I managed to persuade one employee to change the attached cellphone number to my temporary american one, but they initially didn't think it work.

It was a great day when I got access to my money again.


> A phone number is nothing you can just keep. Also i OWN my emails domains. Therefore they are under MY control.

No, no, no.

Just like phone numbers, your domain can be yanked out from under you. In many cases, their are procedures and appeals that can be worked out but realistically, if someone hijacks your DNS, it's over.

To take my domain legally from me there is a complicated procedure involved, its nothing that can just happen from today to tomorrow because a third party wanted it. Which is in fact the case with phone numbers. At least the one i actually read the contract for.

Controlling my DNS is pretty much the same scenario as hacking my phone. Both can happen, both dont have to happen.

Edit:// I checked, taking my Domain from me if data is correct and i pay is close to impossible, costly and takes forever. This is really far from beeing the same as with a phone number

In the UK mobile networks are required to offer number portability[1].

I don't know if that means a mobile network can take your number away, but just like managing the registrar on a domain, you can manage the portability of your number.

[1] https://www.ofcom.org.uk/phones-telecoms-and-internet/inform...

You can in most countries as far as i know. But in my example i quit my account (so made it prepaid essentially) and lost the SIM card, which means i lost my account forever. Now it waits for the simcard to invalidate and then will most likely sell the number again. It was a "easy number" (as in people remember that number after telling them once) so i assume it will be resold rather fast.

But just because you can does not mean people want that. Before it became normal to auth everywhere with phone numbers i happily changed my number yearly.

You'd be surprised. Number portability is a big pain in the arse for us (determining the network from an MSISDN is important in my industry) so it's always a nice bonus when we come across countries without it.

Most recently, Philippines: http://www.prefix.ph/smart-users/updated-philippine-mobile-p...

This is a really interesting example! Thank you, i obviously only thought about my rather small digitalnomad bubble & issues. But this is a good example for the same problem on a much bigger scale.

Once again it shows you cant just close your eyes and judge from yourself to others.

You can change them, you just have to change them in those services too. Same as with email, or any other authentication mechanism, really.

Just to offer the other side of this, I, on the other hand, have the kept the same mobile phone number since the beginning.

I've got an odd issue with a Google mail account. That has no email or phone number associated with it. On my main laptop, I can access the account with username and password, on another computer, I'm locked out - because of security checks. The credentials don't matter. Which really bothers me. I'm effectively locked out the account.

I don't really care for a telephone either.

Yeah, that can happen, it's one of the reasons why I don't recommend Google accounts anymore. Hardware/software factors ("new devices"...) trigger their automatic security checks and can easily lock you out of your account, even if you did nothing wrong.

Big providers are more and more tailoring to the lowest common denominator (people who can't manage passwords, get malware...) and pushing for mobile authentication. So if you're someone who can manage passwords and is willing to accept responsibility, you get annoyed at best and locked out of your account at worst.

I agree its stupid, but it personally gives me a good feel about their security as well. I rather trust my gmail account than my phone.

The "trick" is to never change your laptop/desktop and phone at once so you can always verify the other. At best, if you travel, have a old computer somewhere that someone else can access to verify when needed.

Its not perfect, and i still have bad dreams about loosing access and no googler ever going to help me. But on the other side when someone accesses my account somehow, i know nothing happens and they get locked out.

I move country and change internet regularly, and i am glad this is not a reason to lock my account like with many providers who have less advanced tactics.

Are you using long, automatically generated passwords? I've had two very similar Google accounts that I log in at the same time on PCs, and one account with a 15 char password kept wanting additional checks. It stopped when I changed the password to 16 chars.

Over 16 chars, not auto generated.

Can't you just add an email?

It kind of defeats the point. It all gets chicken and egg. I've some accounts that I want totally and utterly divorced from each other.

As someone who changes phone numbers periodically, I couldn't agree more. The worst part is all the services who use it as the only identifier. Services like WhatsApp, Signal, etc should AT LEAST offer an alternative means of identification, be it a user-chosen handle or an email address.

Don't they use phone numbers exactly because they are hard to get/change.

A phone number, at least in the UK, means you've been pre-verified in some way - users can't in general generate new phone numbers like they can email addresses.

Thus, less problems with anonymous users (eg trolling, spamming) and less abuse from named users as they can usually be traced using the phone number.

>A phone number, at least in the UK, means you've been pre-verified in some way

This seemed interesting to me, so I tried signing up for a UK voip number at the sipgate.co.uk site. They do ask for an address, but they accept anything valid, like the address of a university. Had a 056-0003 XXXX phone number in less than a minute.

I travel a lot and in many countries a prepaid SIM (which will expire after as little as a month without use or top-up) is the cheapest way to go.

Most countries are moving towards requiring identification before activating a SIM card, like you say.

For example in Vietnam, this has only become a thing in the past month or so and it is not enforced in practice in many unaffiliated corner stores. Last month, I just walked into a corner store paid a couple of bucks to get a preactivated SIM card with a couple of GB in two minutes.

Google does let you have 2 factor setup without a phone number as a factor, but strangely you need a phone number temporarily. You add the phone number as a factor, then add other factors (such as Google Authenticator and Yubikeys) then delete the phone number.

> Google does let you have 2 factor setup without a phone number as a factor, but strangely you need a phone number temporarily.

I finally set up 2FA on my Google account this weekend.

It struck me as incredibly odd that Google requires a phone number to enable 2FA. NIST recently advocated against using SMS for OoB auth. [0]

If I had been an account hijacker with the password (e.g. obtained via phishing) it would have been ludicrously simple for me to enable 2FA on someone else's account.

I don't understand, I already have an Android phone with Google Play Services installed. Why isn't pressing "Okay" on my phone sufficient? It's certainly not any more insecure than an SMS.

What I view as even worse is on the first attempt the SMS didn't go through, so I asked Google to give me a call. Evidently my provider blocks whatever number they're using to call out of, so my phone never rang. But Google left the verification code anyway, AS A VOICEMAIL!

My inner tin foil hat says Google wants a phone number for other purposes.

[0] www.securityweek.com/nist-denounces-sms-2fa-what-are-alternatives

> My inner tin foil hat says Google wants a phone number for other purposes.

Just like Twitter these days. "Telephone number is optional and for your security". 2 minutes later my new accounts are always locked and i need to provide a telephone number to enable it again. They used SMS until recently, now they use a call service which only works with a fraction of numbers. (Tried 2 thai, 1 cambodian number, none accepted)

I seriously dont get what they are trying to do other than creating a database of telephone numbers and locking users in third world countries out.

Also agree with that Google actually knows enough to just verifiy it based on my phone. Telephone number is not necessary, especially i "verified" my account in the past with a phone call, why again?

Steam does this as well. Even if you add your phone number after a lot of nagging, Steam still keeps bothering you to install their Android or IOS authenticator software (even if you can't). I wish Steam would consider Fido U2F as well, but getting through to anyone who can influence this at Valve is nigh impossible.

It seems to be the industry status quo now to assume that everyone uses a smartphone running either Android or IOS, and that everyone wants to use that device for authentication. Meanwhile the tech giants (especially those involved in advertising) probably like having that nice unique alphanumerical identifier for your profile — it tends to be the same for all services you use.

I really hope Fido U2F becomes a de facto alternative for 2FA.

Yeah, I just ran into something similar a few days ago. Every once in a while I used to go through all my trading cards and bulk sell all my duplicates for a few cents each, but apparently now they require you to use some combination of SMS and mobile app authentication to post anything on the market. Clicking through the confirmation email they send you isn't enough on its own.

So now I just don't bother with trading cards at all.

My experience exactly. I used to sell those silly cards the moment I got them, just to get a little extra balance in my Steam account for the next purchase. Now I just ignore them; selling them is way to much of a hassle to be worth the €0,05 you get for a card. (Who buys those things anyway? Weird market.)

Steam, at least, does not seem to have a issue sending me emails. Sure it annoys me to use their app or whatever, but i can choose to only receive emails. Which is really all i actually want :)

But i agree on everything said

It's protection against bulk account creation. Getting a phone number costs money, so requiring a phone number makes it expensive to get 1000 accounts.

Phones are ubiquitous enough that very few customers have to pay this cost.

Obviously, this reasoning doesn't (and shouldn't) extend to using phones for authentication.

Yeah, after writing the article i also realized i dont mind verification actually. As long as they support whatever carrier i currently have. Its authentification that i bother with. (As in i have a phone number, i want internet on my phone, but i change it often monthly)

Also services like Twitter that allow any rented SMS service and multiple accounts for each number this seems not be the reason why they ask for a number.

"My inner tin foil hat says Google wants a phone number for other purposes."

"I already have an Android phone with Google Play Services installed."

Guess what - Google already has your phone number before asking for it via the 2FA form. My guess is that the reason they have one platform-independent process for setting up 2FA is for iOS users.

> Guess what - Google already has your phone number before asking for it via the 2FA form. My guess is that the reason they have one platform-independent process for setting up 2FA is for iOS users.

Only if the phone number is the same one I use for my Android phone. But yes, I realize that any SIM I put into my phone will also be known by Google.

It's just an incredibly shit onboarding method. They already have a more secure way than SMS to determine the account owner, so why not offer it as an option?

Can you even create a working Google account without a phone number? When I last tried that, it seemed to be mandatory from the start.

It never seemed to be a security measure, but an anti-spam measure. You can buy captcha solving as a service for fractions of a cent, and bulk create thousands of accounts for sending spam. Buying working phone numbers is more hassle and more expensive, and will leave a payment trail if you use a service like Twilio.

You can, but it's not obvious that it's an option. I'd be willing to bet that the signup UI was deliberately designed to make it look like a phone number is required.

You can, but only if Google thinks your IP address has a low likelihood of spam.

This is new to me thank you. I am a little afraid of locking myself out so i am hesitate to just try it, i will read into it and give it a try. Seriously thanks.

For one I like to opt out of phone based 2fa whenever possible. It is just inconvenient as demonstrated in the post without any upside really. Most of the time it actually prevents me from doing things. Lose/forget your phone and you are in a very bad position. I'm satisfied with a secure password, thanks.

In most cases i totally agree. Some places enforce it tho :/

This is a rant about an edge case: sure, it sucks for the author but even now few people move more than a few miles of where they are born.

Expecting a Swiss institution to seamlessly support banking from Thailand is, unfortunately, unrealistic. In the pre-internet age I doubt supported well either.

Seems like the author should have talked to their bank about how extra-territorial access works before moving rather than complaining about issues after the fact.

Phone numbers are a red herring.

Thanks for your input. Obviously i did, i just did not expect loosing my sim card in the first week. My bank changed my account to paper TANs and i hope they will still support that for a while, after that i could probably opt in to carry a additional card reader device and auth that way.

Obviously i am a edge case. But while trying to fix my issue i encountered several companies who never even though about this kind of case. This is really all i want to reach here. Make people, especially those who implement such systems, think about a alternative or at least a proper workflow to fix issues like this.

I have access to everything i need now, its not like its unsolved and i am crying for help. It sucks that i cant enable 2FA on several sites, but well, for now i have to live with that.

A friend of mine switched their mobile phone number but forgot to change it in their Microsoft account. Now they can't completely use it because their is a one month waiting period to get the new number accepted without validating the account with the old number. Thankfully you can add also email addresses for that but we forgot that.

A lot of services use Authy, where you also "easily" can change your phone number. But it also takes 2 weeks, for someone that moves country monthly is just a suboptimal solution.

Sure it makes sense to slow this process down for protection purposes. But my "edge case" will only get more common when remote work will get more common.

Desktop authentication programs are no better. Authy has a terrible interface, which didn't tell me I should actually create an account to have my authentications synced. I had to use my email and password, so I thought I did have an account, but I did not. This caused me to lose authentication for various programs that luckily I was able to get back.

>And to make it worse, finding malware on a Android phone is way harder than noticing something is off on a desktop.

Thats if you notice. Plenty of malware is not going to be noticable if its programmed to actually steal something from you.

Phone numbers aren't a perfect way to verify things, but that is why you have both mobile authentication, and/or numbers. Many people still do not use smartphones, and even if they do, you can drop it or have it die in thousands of ways that will make the data unrecoverable. Phone numbers, largely, are not going to change for people.

Saying phone numbers are no proper verification because some people refuse to have mobiles is like saying fingerprint verification is no proper verification because some people don't have fingers... Well, no. It's worse.

You've chosen to be a "nomad", "outcast", whatever it is, well, then live by your word.

Interesting conclusion and now i am curious what the police/visa offices do with people without fingers. Most likely they offer a alternative, which is all i am ranting for here.

If i choose to have "less" security by using email (in fact its more, but thats a different topic) it should be my choice. I should not be forced to own a fixed telephone number, especially for services that just dont know any better. I should also not be forced to give away possible access to my accounts just because i tend to change phone numbers.

Edit:// To your edit. With "nomad" i dont mean i live like a outcast. I am currently living as digitalnomad. I have a home address and earn money, i just dont have a fixed telephone number anymore.

If people had the choice of not using a mobile phone when creating and account, 1) recovering lost accounts would be much harder (and that's actual support, it costs them money, so they want to avoid it) and 2) fighting spam would also be harder (everybody gets to create an account and send mail with it? Wow, that's really going to cost them money!)

Anyway there are mail providers who won't ask you for a mail. Protonmail and GMX come to my mind.

Valid arguments indeed. Many roll well with not allowing common mail providers (there are available lists) and as i own my own domains i welcome that.

If they require telephone number i would at least expect them to support a wide range of providers and not only some. Like i really cant get over the fact that Twitter locks out the most popular Thai provider.

They however could also send me a letter, or have me auth with Authy/Google Auth to make a single identity system. Maybe even requiring my passport number + name. Its not like phone would be the only solution.

And yeah i see that may is hard for small providers, but it shouldnt be hard for bigger ones. Or like in Twitters case, its not about having a single account anyway, you can have hundreds with the same phone number, but not a single with a thai phone carrier.

Edit:// To clearify i personally have no issue with initial confirmation over SMS, i mean i own a phone number most of the time. I just not own it for longer than a month, so it is not valid for me for further authentication.

You live in Switzerland. If you can create a phone number with a Thai carrier from there, I am sure you understand why Twitter refuses to deal with such a carrier.

I dont. I live in Thailand right now, tomorrow maybe in Vietnam. Right now i might be a edge case but remote work is growing fast.

You can create throwaway SMS numbers for a few cents with several online providers, some even accept Bitcoin payments and dont ask for a name and Twitter accepts them happily. Its just the third party provider they use that did not implement that specific carrier yet.

Edit:// Also i am curious now why you think i had a thai phone number while living in switzerland? :D There are countries like austria that dont even ask for a passport for prepaid directly next to it, why would i go thai?

The "about" section of your website says you live in Switzerland.

At least here it's not legal for a mobile operator to give you a phone number if they don't have your ID (not even a prepaid number) so I supposed it was the same in the whole EU. Therefore I imagined you heard somewhere there's an operator in Thailand that lets you get a number without giving an ID, maybe even for free, so you wanted to get one to auth in Twitter. But such a system would be abused by spammers so Twitter had blocked that operator already.

Yes, quite the elucubration, I know.

Ah ok lol i see. I think i wrote "based in Switzerland" which mostly means thats where i store my desktop pc :) Actually in thailand, cambodia, vietnam and so on you also have to provide your passport. The only place that i know of that does not (until recently at least) is Austria. Most webservices dont require a passport tho, even for european numbers. But i have no idea about the legality so no idea.

A more mainstream problem would be moving, or even traveling for a moderate amount of time to another country. Within the EU, that's fairly common, as many countries are rather small and the borders between them are rather open. For comparison with the US, the barriers to this are a little higher than moving to another state, but not a lot higher.

Having important services tied to a phone number, which remains relatively tied to a country is problematic in the modern world even for people who aren't especially "outcast".

roaming providers will be able to apply a 'fair use policy' to prevent abusive use of roaming. This would include using roaming services for purposes other than periodic travel

So very much a partial solution. In particular, it's no good for someone who moves long-term or, say, someone studying in another country. Simply changing phone numbers with a bunch of services is a serious pain in the ass even if they all consider the new number acceptable.

As an American currently living in Germany, I've run in to this kind of problem myself. My mobile banking app, for example wants to send an SMS for verification because it thinks connecting from an non-US IP address is suspicious, but I can't give it a non-US phone number to do that with. Providing a different option for 2FA would be a big help.

Strange how "not having a mobile phone" is seen by some as being a "nomad" or "outcast". Come on. They've become pretty common, but let's not get carried away here.

Do you know a single person who doesn't have a phone number? And I don't mean to say a smartphone. Just a phone number.

So you are saying it's serious and an alternate solution should exist.

If phone number can't be validated, there should be other alternatives offered. It bugs me when I land in another country and the airport's WiFi hotspot wants my phone number. D'uh! It doesn't work yet until I get a local SIM, and I don't want to turn it on 'coz my operator will instantly charge for the incoming verification SMS and whatever else was queued for delivery. What about those who don't have a phone?

Please offer an alternative method. Like, allow Internet access for 2 minutes and do an email verification.

The solution to protect against loss is to have a backup. Keep a backup SIM from your home country (or for every country in which you have an important account), so in case of loss you can switch over to your backup and you can avoid this fuckery. In my experience it's not hard to keep a prepaid SIM active, even if it's not in active use.

This advice also applies to your wallet too: have a second bank account (at least) and second set of credit cards (with different institutions) in a second wallet. If you lose your primary wallet, you can immediately switch over to your backup.

Heh, i actually tried. They would invalidate my other sim if i get a second one. There is no such thing as "backup sim" with the provider i was with.

Then use a different provider.

I'm not trying to suggest you get a redundant SIM on the same account; that's not possible. You get a second prepaid account (with a different number) with either the same or a different carrier.

How would that solve the initial issue tho? I still would have to change my phone number with dozens of different services.

If you're looking for a work-free backup/restore solution, those don't exist. The point is that you'll at least have immediate access to an active number from your home country that you can give to your banks or whatever. This means your banks (and others) aren't going to be weirded out by that non-domestic phone number, which is a problem you were describing.

Sometimes you'll be able to port your number too.

(This comment ended up turning into a blog post in itself, so I moved it: https://www.devever.net/~hl/e164 )

I was surprised about the long comment and was going to suggest to make it a blog post. Well :)

We definitly are on to somethere there, now lets hope some people pick it up and find better solutions.

You went more technical and provides more direct reasons, i learned a few things from your article. So kudos for that!

I'll make a long back to your post as well, seems like a good followup for interested people, and as said a little more detailed about the technical implications

Verifying identity is the government's job. Since time immemorial, governments have been issuing identity documents for their citizens.

So when did it become the job of the telecom industry? So why would anyone think that a telephone number can robustly represent identity?

Of course there are privacy and ethics concerns with government-issued digital identities. And they can be addressed, after we first agree with whom primary responsibility for identity assurance ought to lie, because then we can remember that all the alternatives are worse.

Personally i rather give my name and my passport ID than my telephone number. At least with that data they cant annoy me or resell it to ad companies to annoy me.

Also i cant lose the knowing the number. I can easily replicate it on my own site (saving it in multiple places)

The same properties that make phone numbers bad also make email addresses, postal addresses and other IDs bad. Sometimes a weak option is better than no option at all.

E-mail is far from being perfect (you can get you account unilaterally closed by your provider or you can lose your domain name), but in practice I've been using the same address for more than a decade, and I have aliases that are meant to last forever (my almuni address), while in the same period I've had 5 different mobile numbers that I used for services like banking or IM, which is very inconvenient indeed.

I've had the same mobile number for the last fifteen years too. In NZ at least (not sure about other countries) it's trivial to take your number with you when you get a new SIM from any mobile provider. Though this wouldn't work across countries obviously.

As a developer in Europe, moving across countries isn't a particularly crazy pattern I believe :)

Also in some countries keeping your number isn't cheap. And even when it's technically easy, your phone plan might be provided by your employer, in this case it might be very tricky to get your number migrated when you change jobs.

And i highly assume we are a growing amount of people (remote working and actually moving). We may be a rare edge case now, but may aint in a few years anymore.

And yes keeping my phone number as it was would cost me $80/month. With a provider i hated like the pest.

And I have changed (lost) around 10. People and their behavioral patterns are drastically different. (ADD sucks).

At least 2 of them are now reused and given to other people.

This so much. And you can probably dont even remember which services they are bound to. The service now probably sends "you" a SMS and the people realize they have access to something they should not have to. Just crazy IMO.

I rant about this for a while now, and many people say stuff like "you can just take your phone number with you". Its on par for me with "I have nothing to hide, why would i worry". Its just short sight and projecting personal use on the world.

Exactly! And you dont simply loose a domain if you dont really fail at renewing it, which usually is a peroid of 2 months getting reminder emails.

The point with email is that i CAN control the address myself. Sure i use external services to send and receive, but if that fails for some reason i can still setup my own servers and still have access to my accounts. No way of doing that with phone numbers.

Postal addresses are Name + Address so get invalidated automatically when i move. Therefore i would argue are also better.

https://www.truecaller.com/ gives the name of phone owner

Coinbase blocked my account from buying and refused to explain themselves after I changed the phone number associated with Authy.

If true (they refused to explain themselves, after all), that's an incredibly backwards approach for a company based on the (possible) future of money to take.

Not sure where i got that from, i dont have that written. Coinbase was super nice but they had a issue with the API callback from Authy which did not reenable my account again.

Coinbase however blocks accounts for gambling, but they usually mention the why.

I didn't participate in any gambling or do business with somebody whose business includes gambling to my knowledge. I barely used the account at all after initially setting it up when building something for a client (an entirely non-shady company that you've probably heard of) that used their API.

They said this:

Unfortunately a manual review has determined that you are ineligible to use the Coinbase platform to purchase Bitcoin. We’re sorry for any inconvenience that this may cause.

And when asked why, they said this:

Sadly, I don’t have any information before me to answer as to why such a decision was taken, but this decision is final.

The only thing I can think of that I did that might have been suspicious was to access the service from outside the US and switch Authy to a non-US phone number after previously using a US phone number.

I never get these rants. You want me to take something that works well for 100% (Your case is less than a rounding error), and introduce security weaknesses for you? You've decided to be a non-conformist, and then want the 100% to conform to you. Sorry, but no.

Like your name. Its a rant, thats what they are for, arent they? And no, i am pointing at a growing problem. Since i move within a "digitalnomad" scene i noticed this is a common topic and there are millions of suboptimal solutions to scope around it. I am surely not alone, maybe not 1% yet but remote work is growing VERY fast.

Also i dont want anything to be 100% comform to me. No idea where you got this from. I am really just trying to put some light on a issue i see. All i actually expect is having people think about this issue and if possible offer solutions if not offer a workflow to not make this a complete pain.

Sorry, you're absolutely right, and you should express this. My day job, I just fight with people who want to do things like this, but with no clue as to the costs and the alternatives that would need to be implemented. But somebody will figure it out, either writing a rant, or maybe reading one, and get an idea... So we should have this, but at this point, margins are so low that we need to start ignoring niches that are less than single digit percents. And it looks like things are about to get tighter.

I see where you are coming from no worries.

FreeOTP or Google Authenticator are a better alternative to SMS. I have three bank accounts and, sadly, none offer that as a option.

If you need SMS verification of some service you can buy a Russian or Ukranian number for a few bucks. I do that when I want a throwaway WhatsApp.

How and where do you buy Russian/Ukrainian phone numbers?

Phone numbers work between phone companies. Are they administered by the government or other central organization? I wonder if you could own phone numbers if you bought them straight from the source.

If affordable that would be interesting indeed. If i could own it on similar terms like a domain and just choose my provider, but still _own_ it for most part.

Right now it is usual that you can keep your number with other providers, but you still never actually own it.

Why not just keep your original phone number on the lowest cost possible plan? It's also good for emergencies.

I did kind of. I hated my carrier really bad (they are really bad, and i expressed my hate) so i went with a prepaid plan. Issue is after i lost the sim there is no way for me to get the same number again.

They wanted $500 from me to "downgrade" my account from the $80 i paid then to about $40 i would have paid after that. I said fuck you.

The author's concerns are well justified, however they suggest to provide an alternative.

Thank you. I dont really get the however. Do you mean i missed to provide a solution? Thats true, other than my github example i did not provide any solutions.

My current mission is to plant this thought into peoples heads, especially those who implement such systems (why i posted on HN). All i really want right now is a workflow to help people having similar issues, if a company is aware when they build such a system they will also be able to find individual solutions that fit into their market.

Like my bank can offer paper tan, Github can offer private key authentification, and Twitter should not ask for a telephone number at all because they allow multiple accounts per number anyway. Also 2FA should be possible with Email and not only SMS.

Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact