But organisations like banks need to have systems that adequately balance security, usability and ubiquity, and it turns out that phone number authentication is optimal across those criteria.
Of course it's not perfect, but empirically it works better than the alternatives (otherwise they'd already have changed it), so we're stuck with it, no matter how much it might frustrate the likes of you and me.
I'm finally old enough to realise that for certain things, like banking, the world is better off that way, else it would would descend into chaos (even more than it already has), and nobody would be able to get anything done.
And maybe it's only possible for people like us to get away with existing on the fringes thanks to the fact that most people are keeping society going by getting things done, and for that reason it's perhaps justifiable that for things like this it's up to us to find a way to fit in with their ways of doing things.
One of my banks offers the following 2 alternatives:
* Paper TAN (which most likely will go away in the next years)
* Card reader that scans your EC card
Both completely valid for my situation, my other bank does none of both. Both however are completely valid just not as confidient for the bank i guess.
My whole point is having alternatives, or at least a workflow to fix this issue for people who do not have a fixed phone number (anymore). Its sucks to have way less security as everybody else (because i cant enable 2FA) when email was always there and pretty much just as good. It sucks even more to not be able to create a account because somehow they dont want your current number (I mean how crazy is that that you can not make a Twitter account with one of the most popular Thai providers? How is that not a huge issue?)
But for every new system/feature/mechanism a service provider builds to accommodate every increasingly narrow edge-case, there's a huge additional cost and commitment in development, maintenance and support.
So the reality is it just comes down to dollars. If you're in the mainstream, you'll be looked after. If you're in the fringes, well, you're in the situation you're in now. That's how the world works.
Whilst complaining might help you to feel better, it's not going to change much unless there are big dollars at stake for the service provider.
And for google if you have multiple people using the same google accounts which you would do for many google services 2FA can really mess you up eg if I WFH I cant login to some of our GA GTM and GSC accounts.
The telephony system relies on that being the case, which is why it has the nice byproduct of being an identity verification channel for banks and other service providers.
So it doesn't matter who strictly 'owns' the phone number. What matters is that it can be relied on to be linked to a given person over an extended period of time, which it usually is, which is why the system usually works. And when it doesn't work, a fallback process is available, which makes the system work even better. So all's good!
It's easy to point out ways in which the system fails in all kinds of scenarios where people don't/can't fit in with the way the system is designed, but it's ultimately futile.
Service providers will run their system in whatever way is secure enough and usable enough for enough of their customers to be satisfied to stay as customers. There's really nothing more to say about it!
Why would you do this? Whether personal or work related, Google has always said to keep accounts tied to an individual.
Do you really believe that? I was just reading someone comment's on Reddit yesterday about him working for a bank that only recently stopped working with credit card number transfers in the clear...
Some if not most of the banks just use ancient technology for the same reason most other big corporations do - they don't really "get" the security "value" so they don't bother to invest hundreds of millions of dollars in new infrastructure.
"Don't bother to invest" could be a cynical way of saying they can't justify the financial cost, personnel commitment, organisational upheaval and multi-dimensional risk to adopt the new infrastructure.
But it's not as if they're sitting around doing nothing; all the banks have vast teams of people constantly maintaining and improving their software and infrastructure, doing whatever is necessary to minimise losses and maximise gains.
Those who don't do it enough or do it right go out of business.
I don't get the distinction the author is trying to make: if you stop paying the renewal fees for them you'll find you "own" those domains exactly as much as you "own" a phone number.
Sure it is not _mine_ ether. But it is more mine than a phone number ever will be.
Edit:// I tried to look it up, except trademark stuff (and even then its not easy) i dont see any reason a domain could be taken away from the renter while beeing paid for.
Which makes sense, they dont have, for some reason, keep me as client if they dont want to.
So given a choice I'd rely on my email address more than "my" phone number.
Taking away a domain is a costly, long and usually failing process.
Sure i need to pay for both
I agree that i worded that badly tho
source please, including your registrar's TOS
Or even which someone linked below (to refute my claims)
They also have the "remove anytime thing" but they warn you and give you 30 days to move your domains. So if they decide to close my account, they dont take my domains.
The whole telephony system relies on people keeping the same phone number.
Individuals and families rely on it as a most basic necessity. Businesses invest vast sums of money promoting awareness of their phone number.
If telco providers went around taking people's phone numbers away without very good reason, there'd be uproar, and the telco system (and indeed, to some degree, the economy), would cease to work.
I never heard of anyone got his number taken when they paid the fee. I highly assume most companies never done that actually.
Edit:// Its not actually the point tho, it is just a (obviously not that well) argument for my point
In the US, you certainly can keep a phone number. You can take it from one telecom service provider to another. But you do indeed have to keep paying your bill to maintain this ability.
Getting a new phone number set up is time consuming, even with a Twilio-like service. This is a good thing. Your IMEI number isn't portable, and until there is a physical token on your phone that is also portable, a phone number is the next best option.
Sure i could call my bank one a month to change my telephone number, which i loose control of shortly after that (only valid for a few months, prepaid). This is hardly a solution.
On the other side i control my email address, my private key, my home address to a degree, but never my telephone number.
I never changed back, so now I receive a new sheet of numbered codes whenever I've used a certain number of them. Nowadays I scan this sheet of codes, run an OCR task, and import the codes in my password manager¹. So when the bank asks for code 519:
pass -c bank/ing/tan/519
I wonder how long ING (my bank) will allow this method to exist… The alternative used by Dutch banks is a small token generating device they provide to all customers (I think only ING mentioned above doesn't do this yet). This requires no phone number either, just the (tiny) physical device.
I wonder what happens if I tell my bank that I no longer have a phone number I can be reached at?
My bank (or both of them) had no solution when i told them that i dont plan on having a phone number anymore. The one accepted it that they cant call me and send paper TANs, the other did not do paper tans for a few years now.
Btw: Your solution to store them sounds nice. Probably gonna adapt that
I thought this is more common in Europe, but apparently it's not? Although, our banks are increasingly pushing towards App-based 2FA because it's cheaper.. but I'm very confident they'll continue to support as it is the common way to do online banking.
Banks now have introduced app based versions of the above, useful if you've not got the calculator or your card handy, but I don't believe they're looking to phase out the physical device just yet.
Seems similar to your device, but instead of an optical sensor to receive a code from the web browser you enter the account code and money amount of a transfer manually.
The other bank only offers different phone based solutions. Clearly my fault for not checking first, and also not a issue for me as i dont actually access that account.
If i could use that with other websites, Twitter, Github, whatever, i would happily carry that device with me :)
It is. Most of the other Dutch banks do use such a device (I haven't seen devices that try to read your screen yet though).
Maybe the bank is not interested in serving people like you - and why should they be? A bank needs to be able to loan money to fulfil its function - everything else they do is about enabling the loan business. To be able to make loans they need to be able to have some hope of being repaid, so they need a reliable way of contacting someone tied to that person's identity and expensive to mess with. Emails are ignorable and untraceable. Home address fulfils those functions but isn't really practical as a sole means of contact - would you like them to place suspicions transactions on hold while they send you a letter and wait for your reply?
I am more about everything else than banking tho. Things that dont have the need to contact me ASAP and still use SMS for authentification purposes. (Personally i dont even mind verification, i have a number, just not for long)
There's a link for if I authorized it and a link for if I didnt.
In fact, basically everything my bank does is by email, except a few legal documents amd sending replacement cards, which are by mail.
I cant count the number of times they called me on a single hand.
I don't get it, why are your prepaid cars only valid for a few months? Do people just lose their number regularly?
Around here you can get a prepaid SIM, and you only need to make a single call per six months to keep it active. Even an initial 10€ payment is enough for years of service. Can't you get the same in Switzerland?
Also as mentioned i cant get it again, prepaid is kind of contract less. If i loose the sim i am not entitled to get the same number again.
There's not a lot of genuine security or legal analysis to be found here.
Get a fixed telephone number.
My point rather was is that they can not take it away from me. My specific registrar only allows themself to invalidate domains for a few days when they contain swear words. I am not entirely sure if they can increase the price while i own it. In fact last time they increased the price it did not affect me because i already owned it but only new registered domains. Even the renew was on the old price.
From your other posts, I gather you live in south-east asia, so I guess it's a local domain.
I just tried to look it up. Seems it mostly happens for things like "Trademarksucks" which is afaik illegal (smearing or whatever the law is called) in most of europe.
I do not have a mobile phone, and have run into countless issues with so-called security systems which demand a mobile number, everything from airports to online services like Twitter. It's amazing how many services become unavailable when you have no phone number to provide.
Extra bonus, I moved out of my country of origin a few years ago. The Visa card I have from a bank in my country of origin needs 2FA to be used to purchase things on the net. The second factor is a code sent by SMS. Even if I had a phone number that can receive a SMS, the bank won't let me change the configured phone number because they can only accept a phone number in my country of origin. IOW, I barely can use that card.
Not to mention that i had to lie to them as have a friend from my home country call them (imposing as me) to change the phone number (which is most likely illegal in itself) because they could not accept calls from my current country...
I managed to persuade one employee to change the attached cellphone number to my temporary american one, but they initially didn't think it work.
It was a great day when I got access to my money again.
> A phone number is nothing you can just keep. Also i OWN my emails domains. Therefore they are under MY control.
No, no, no.
Just like phone numbers, your domain can be yanked out from under you. In many cases, their are procedures and appeals that can be worked out but realistically, if someone hijacks your DNS, it's over.
Controlling my DNS is pretty much the same scenario as hacking my phone. Both can happen, both dont have to happen.
Edit:// I checked, taking my Domain from me if data is correct and i pay is close to impossible, costly and takes forever. This is really far from beeing the same as with a phone number
I don't know if that means a mobile network can take your number away, but just like managing the registrar on a domain, you can manage the portability of your number.
But just because you can does not mean people want that. Before it became normal to auth everywhere with phone numbers i happily changed my number yearly.
Most recently, Philippines: http://www.prefix.ph/smart-users/updated-philippine-mobile-p...
Once again it shows you cant just close your eyes and judge from yourself to others.
I don't really care for a telephone either.
Big providers are more and more tailoring to the lowest common denominator (people who can't manage passwords, get malware...) and pushing for mobile authentication.
So if you're someone who can manage passwords and is willing to accept responsibility, you get annoyed at best and locked out of your account at worst.
The "trick" is to never change your laptop/desktop and phone at once so you can always verify the other. At best, if you travel, have a old computer somewhere that someone else can access to verify when needed.
Its not perfect, and i still have bad dreams about loosing access and no googler ever going to help me. But on the other side when someone accesses my account somehow, i know nothing happens and they get locked out.
I move country and change internet regularly, and i am glad this is not a reason to lock my account like with many providers who have less advanced tactics.
A phone number, at least in the UK, means you've been pre-verified in some way - users can't in general generate new phone numbers like they can email addresses.
Thus, less problems with anonymous users (eg trolling, spamming) and less abuse from named users as they can usually be traced using the phone number.
This seemed interesting to me, so I tried signing up for a UK voip number at the sipgate.co.uk site. They do ask for an address, but they accept anything valid, like the address of a university. Had a 056-0003 XXXX phone number in less than a minute.
Most countries are moving towards requiring identification before activating a SIM card, like you say.
For example in Vietnam, this has only become a thing in the past month or so and it is not enforced in practice in many unaffiliated corner stores. Last month, I just walked into a corner store paid a couple of bucks to get a preactivated SIM card with a couple of GB in two minutes.
I finally set up 2FA on my Google account this weekend.
It struck me as incredibly odd that Google requires a phone number to enable 2FA. NIST recently advocated against using SMS for OoB auth. 
If I had been an account hijacker with the password (e.g. obtained via phishing) it would have been ludicrously simple for me to enable 2FA on someone else's account.
I don't understand, I already have an Android phone with Google Play Services installed. Why isn't pressing "Okay" on my phone sufficient? It's certainly not any more insecure than an SMS.
What I view as even worse is on the first attempt the SMS didn't go through, so I asked Google to give me a call. Evidently my provider blocks whatever number they're using to call out of, so my phone never rang. But Google left the verification code anyway, AS A VOICEMAIL!
My inner tin foil hat says Google wants a phone number for other purposes.
Just like Twitter these days. "Telephone number is optional and for your security". 2 minutes later my new accounts are always locked and i need to provide a telephone number to enable it again. They used SMS until recently, now they use a call service which only works with a fraction of numbers. (Tried 2 thai, 1 cambodian number, none accepted)
I seriously dont get what they are trying to do other than creating a database of telephone numbers and locking users in third world countries out.
Also agree with that Google actually knows enough to just verifiy it based on my phone. Telephone number is not necessary, especially i "verified" my account in the past with a phone call, why again?
It seems to be the industry status quo now to assume that everyone uses a smartphone running either Android or IOS, and that everyone wants to use that device for authentication. Meanwhile the tech giants (especially those involved in advertising) probably like having that nice unique alphanumerical identifier for your profile — it tends to be the same for all services you use.
I really hope Fido U2F becomes a de facto alternative for 2FA.
So now I just don't bother with trading cards at all.
But i agree on everything said
Phones are ubiquitous enough that very few customers have to pay this cost.
Obviously, this reasoning doesn't (and shouldn't) extend to using phones for authentication.
Also services like Twitter that allow any rented SMS service and multiple accounts for each number this seems not be the reason why they ask for a number.
"I already have an Android phone with Google Play Services installed."
Guess what - Google already has your phone number before asking for it via the 2FA form. My guess is that the reason they have one platform-independent process for setting up 2FA is for iOS users.
Only if the phone number is the same one I use for my Android phone. But yes, I realize that any SIM I put into my phone will also be known by Google.
It's just an incredibly shit onboarding method. They already have a more secure way than SMS to determine the account owner, so why not offer it as an option?
It never seemed to be a security measure, but an anti-spam measure. You can buy captcha solving as a service for fractions of a cent, and bulk create thousands of accounts for sending spam. Buying working phone numbers is more hassle and more expensive, and will leave a payment trail if you use a service like Twilio.
Expecting a Swiss institution to seamlessly support banking from Thailand is, unfortunately, unrealistic. In the pre-internet age I doubt supported well either.
Seems like the author should have talked to their bank about how extra-territorial access works before moving rather than complaining about issues after the fact.
Phone numbers are a red herring.
Obviously i am a edge case. But while trying to fix my issue i encountered several companies who never even though about this kind of case. This is really all i want to reach here. Make people, especially those who implement such systems, think about a alternative or at least a proper workflow to fix issues like this.
I have access to everything i need now, its not like its unsolved and i am crying for help. It sucks that i cant enable 2FA on several sites, but well, for now i have to live with that.
Sure it makes sense to slow this process down for protection purposes. But my "edge case" will only get more common when remote work will get more common.
>And to make it worse, finding malware on a Android phone is way harder than noticing something is off on a desktop.
Thats if you notice. Plenty of malware is not going to be noticable if its programmed to actually steal something from you.
Phone numbers aren't a perfect way to verify things, but that is why you have both mobile authentication, and/or numbers. Many people still do not use smartphones, and even if they do, you can drop it or have it die in thousands of ways that will make the data unrecoverable. Phone numbers, largely, are not going to change for people.
You've chosen to be a "nomad", "outcast", whatever it is, well, then live by your word.
If i choose to have "less" security by using email (in fact its more, but thats a different topic) it should be my choice. I should not be forced to own a fixed telephone number, especially for services that just dont know any better. I should also not be forced to give away possible access to my accounts just because i tend to change phone numbers.
Edit:// To your edit. With "nomad" i dont mean i live like a outcast. I am currently living as digitalnomad. I have a home address and earn money, i just dont have a fixed telephone number anymore.
Anyway there are mail providers who won't ask you for a mail. Protonmail and GMX come to my mind.
If they require telephone number i would at least expect them to support a wide range of providers and not only some. Like i really cant get over the fact that Twitter locks out the most popular Thai provider.
They however could also send me a letter, or have me auth with Authy/Google Auth to make a single identity system. Maybe even requiring my passport number + name. Its not like phone would be the only solution.
And yeah i see that may is hard for small providers, but it shouldnt be hard for bigger ones. Or like in Twitters case, its not about having a single account anyway, you can have hundreds with the same phone number, but not a single with a thai phone carrier.
Edit:// To clearify i personally have no issue with initial confirmation over SMS, i mean i own a phone number most of the time. I just not own it for longer than a month, so it is not valid for me for further authentication.
You can create throwaway SMS numbers for a few cents with several online providers, some even accept Bitcoin payments and dont ask for a name and Twitter accepts them happily. Its just the third party provider they use that did not implement that specific carrier yet.
Edit:// Also i am curious now why you think i had a thai phone number while living in switzerland? :D There are countries like austria that dont even ask for a passport for prepaid directly next to it, why would i go thai?
At least here it's not legal for a mobile operator to give you a phone number if they don't have your ID (not even a prepaid number) so I supposed it was the same in the whole EU. Therefore I imagined you heard somewhere there's an operator in Thailand that lets you get a number without giving an ID, maybe even for free, so you wanted to get one to auth in Twitter. But such a system would be abused by spammers so Twitter had blocked that operator already.
Yes, quite the elucubration, I know.
Having important services tied to a phone number, which remains relatively tied to a country is problematic in the modern world even for people who aren't especially "outcast".
So very much a partial solution. In particular, it's no good for someone who moves long-term or, say, someone studying in another country. Simply changing phone numbers with a bunch of services is a serious pain in the ass even if they all consider the new number acceptable.
As an American currently living in Germany, I've run in to this kind of problem myself. My mobile banking app, for example wants to send an SMS for verification because it thinks connecting from an non-US IP address is suspicious, but I can't give it a non-US phone number to do that with. Providing a different option for 2FA would be a big help.
Please offer an alternative method. Like, allow Internet access for 2 minutes and do an email verification.
This advice also applies to your wallet too: have a second bank account (at least) and second set of credit cards (with different institutions) in a second wallet. If you lose your primary wallet, you can immediately switch over to your backup.
I'm not trying to suggest you get a redundant SIM on the same account; that's not possible. You get a second prepaid account (with a different number) with either the same or a different carrier.
Sometimes you'll be able to port your number too.
We definitly are on to somethere there, now lets hope some people pick it up and find better solutions.
You went more technical and provides more direct reasons, i learned a few things from your article. So kudos for that!
I'll make a long back to your post as well, seems like a good followup for interested people, and as said a little more detailed about the technical implications
So when did it become the job of the telecom industry? So why would anyone think that a telephone number can robustly represent identity?
Of course there are privacy and ethics concerns with government-issued digital identities. And they can be addressed, after we first agree with whom primary responsibility for identity assurance ought to lie, because then we can remember that all the alternatives are worse.
Also i cant lose the knowing the number. I can easily replicate it on my own site (saving it in multiple places)
Also in some countries keeping your number isn't cheap. And even when it's technically easy, your phone plan might be provided by your employer, in this case it might be very tricky to get your number migrated when you change jobs.
And yes keeping my phone number as it was would cost me $80/month. With a provider i hated like the pest.
At least 2 of them are now reused and given to other people.
I rant about this for a while now, and many people say stuff like "you can just take your phone number with you". Its on par for me with "I have nothing to hide, why would i worry". Its just short sight and projecting personal use on the world.
Postal addresses are Name + Address so get invalidated automatically when i move. Therefore i would argue are also better.
If true (they refused to explain themselves, after all), that's an incredibly backwards approach for a company based on the (possible) future of money to take.
Coinbase however blocks accounts for gambling, but they usually mention the why.
They said this:
Unfortunately a manual review has determined that you are ineligible to use the Coinbase platform to purchase Bitcoin. We’re sorry for any inconvenience that this may cause.
And when asked why, they said this:
Sadly, I don’t have any information before me to answer as to why such a decision was taken, but this decision is final.
The only thing I can think of that I did that might have been suspicious was to access the service from outside the US and switch Authy to a non-US phone number after previously using a US phone number.
Also i dont want anything to be 100% comform to me. No idea where you got this from. I am really just trying to put some light on a issue i see. All i actually expect is having people think about this issue and if possible offer solutions if not offer a workflow to not make this a complete pain.
If you need SMS verification of some service you can buy a Russian or Ukranian number for a few bucks. I do that when I want a throwaway WhatsApp.
Right now it is usual that you can keep your number with other providers, but you still never actually own it.
They wanted $500 from me to "downgrade" my account from the $80 i paid then to about $40 i would have paid after that. I said fuck you.
My current mission is to plant this thought into peoples heads, especially those who implement such systems (why i posted on HN). All i really want right now is a workflow to help people having similar issues, if a company is aware when they build such a system they will also be able to find individual solutions that fit into their market.
Like my bank can offer paper tan, Github can offer private key authentification, and Twitter should not ask for a telephone number at all because they allow multiple accounts per number anyway. Also 2FA should be possible with Email and not only SMS.