I wish we could kill phone numbers once and for all. It's insecure, device-dependent, carrier-dependent, country-dependent, subject to snooping and censorship, and all of these are recipes for disaster as an authentication scheme, especially in the event that a device gets stolen. Phone calls and text messages should emphatically NEVER be used to verify anything.
Conversation with one of my banks the other day:
Them: Can we please verify a code sent to your phone number?
Me: Umm, sure, although that won't verify anything. Use something else to verify that it's me.
Them: Can you please verify your phone number?
Me: Umm, I don't know what phone number I used with you? Try XXX-XXX-XXXX, XXX-XXX-XXXX, XXX-XXX-XXXX, XXX-XXX-XXXX, XXX-XXX-XXXX, XXX-XXX-XXXX, and XXX-XXX-XXXX? They all belong to me depending on where I am.
Them: Can we use XXX-XXX-XXXX? Do you have this phone with you right now so we can we send a text message with a verification code?
Me: Send your insecure SMS to any of my numbers. They all go to my e-mail inbox. [I don't need to have my "phone" with me -- my "phones" are virtual.]
This isn't a literal transcript of the conversation, more like what was going on in my head vs. what they said ;) Of course I was nice to them in explaining that I have a ton of virtual phone numbers and really don't know which one I used, etc.
While conversation is probably not a good example of anything, I agree with the main statement: phone numbers must die. They are insecure, unremarkable remnants of an outdated system.
Well in many countries you are required to show and submit ID to the provider that ties you to a particular sim/number. While I see this more as a control mechanic than a security measure, it does give some reason as to why organisations tie identity to a phone number.
I must assume that the USA does not do this?
Conversation with one of my banks the other day:
Them: Can we please verify a code sent to your phone number?
Me: Umm, sure, although that won't verify anything. Use something else to verify that it's me.
Them: Can you please verify your phone number?
Me: Umm, I don't know what phone number I used with you? Try XXX-XXX-XXXX, XXX-XXX-XXXX, XXX-XXX-XXXX, XXX-XXX-XXXX, XXX-XXX-XXXX, XXX-XXX-XXXX, and XXX-XXX-XXXX? They all belong to me depending on where I am.
Them: Can we use XXX-XXX-XXXX? Do you have this phone with you right now so we can we send a text message with a verification code?
Me: Send your insecure SMS to any of my numbers. They all go to my e-mail inbox. [I don't need to have my "phone" with me -- my "phones" are virtual.]