Hacker News new | past | comments | ask | show | jobs | submit login

Virtually the entire security industry agrees that using phone numbers for account security is an antipattern because of sim-jacking, and yet swaths of the biggest tech companies in the industry do it anyway.

I recently got locked out of my Amazon account because I made a large purchase after not ordering anything for ~6-7 months. During the reset process, they tried really hard to get me to set a phone number 'for account security'. From what I could tell from their documentation, it's not even just used for 2FA, it's literally just a way to prove my identity if I need to reset my password.

I refused, and then a few days later Amazon called me up to reconfirm the order anyway, even though I had never given them my number. Their entire account recovery process from that point on was based on me having access to information that was already listed on my account, that the hacker would have 100% had access to. It was all just security theater, literally the only thing that mattered was I had access to my email and a phone number.

Fastmail (to its credit) allows you to have 2FA without a recovery number, but it requires you to add a recovery number, activate a real 2FA app, and then delete the number. At least it doesn't (as far as I know) use the number on its own for account recovery.

Twitter's CEO got hacked because Twitter trusted phone numbers as identity, and they still haven't changed the policy, because collecting phone numbers is fun or something.

In theory, a 2FA over SMS is better than nothing. In practice, it trains customers to be insecure and should be avoided. It trains customers to think that identity verification over text is OK. In practice, you can't trust companies not to use it for advertising, or to start using it as identity verification in the future. In practice, there are very, very few legitimate reasons why a company should ever need my phone number, and pretty much none of them have anything to do with security. 99% of your users should be using a 2FA app instead of a phone number.

Companies like Twitter should be shamed for misusing security information this way, but they should also be shamed for using insecure authentication methods. I'm convinced that 5 years from now, we're going to look back at SMS authentication the same way we looked at serving login pages over HTTP.




I think it is important to separate out criticisms of 2FA over sms, and companies who say they have 2FA. I think even in practice 2FA over sms is definitely better than nothing, it's a lot harder to both guess someone's password, and put in the work to hijack their phone number. But as you said, many big tech companies say they have 2FA, when they really are just giving you two ways of logging in, where one of those ways is incredibly insecure.

It seems crazy to me that recovery numbers are a thing. I mean I'm sure it helps reduce customer service load, since people just recover over sms rather than trying to call and get their account re-activated, but it is so insecure.


I am sympathetic to claims that 2FA over SMS is better than nothing, because technically it is completely true. You're right.

However, as a user, I go back to the idea that I can't think of many companies I trust to only use my phone number as 2FA and not as identity verification. So I'm am skeptical that it is good to train users to trust SMS 2FA, because those same users will probably not be able to distinguish between 2FA and identity verification when they sign up for other services. It is better to teach users a simple rule (never give out your phone number) than a complex rule (only give out your number for this specific use-case).

The other big thing I just can't get past is that nearly everyone today has a smartphone that will run a 2FA app, and that even users who don't have a smartphone would be better served by getting codes delivered to their email. So sure, it's better than nothing. But there are even better options that exist that aren't that hard for us to switch to.

In practice, even if you know you're only going to use SMS for 2FA, I now lean towards saying you shouldn't use SMS at all. Treat email like the backup SMS option, and just get rid of phone numbers entirely.

Maybe the dynamics of that change for some developing countries? But Twitter, Facebook, and Amazon all know what country I live in. If they want to offer an SMS option for India because of some extenuating circumstance I can't think of, they should still have the good sense to at least discourage SMS verification for accounts that are based in the USA or Europe.


> nearly everyone today has a smartphone that will run a 2FA app

What do they do when their smartphone dies? The phone company makes sure your new phone has the same phone number, but you lose 2FA tokens in apps.

And I have no idea where the recovery codes that I printed on paper are since I last moved.

> even users who don't have a smartphone would be better served by getting codes delivered to their email

But then isn't that just one factor instead of two factors, because both their password for the service and their email password are just "something you know"? I'm assuming if they have no cell phone, they don't have a second factor to secure their email either.


> And I have no idea where the recovery codes that I printed on paper are since I last moved.

It should be right next to the document that explains your loved ones how to get into your password manager, if you ever get hit by a bus.


This is a reasonable concern, and users should be aware of the risks behind real 2FA. But if you really dig into this, it starts to fall apart.

> The phone company makes sure your new phone has the same phone number

This is exactly why 2-factor SMS is insecure. You mention later that email is something you know, instead of something you have. In the same way, if a company can transfer my number to a new phone without access to the original phone, then it's not really something I have.

The ease of number transfers are the problem. The reason why 2FA tokens aren't stored online and secured with a password is because they are designed to be something you have, not something you know.

For comparison, switching your number to Verizon only requires information that you know (account numbers, a SSN)[0], so it's just extra steps around a less secure password that you can't change or set yourself.

> But then isn't that just one factor instead of two factors

Expanding on the above -- yes, email is often going to be just another account secured with another password. In practice, hacking two accounts is often harder than hacking one, and in practice, I suspect breaking into someone's Gmail account is harder than stealing their phone number. Google offers much more comprehensive 2FA options than most other companies, and their automated security alerts also tend to be better.

But there's no reason for us to debate over how secure email is.

The situation we have today with companies like Amazon/Facebook/Twitter is one where I can already request a password reset without SMS. Companies are scared of strict 2FA methods because customers get locked out of their accounts. Very, very few of them are willing to take that risk, so email will virtually always be an option. SMS is being added on top of that system -- it's not replacing it.

Here's Twitter's account recovery help page[1]:

> If you do not receive anything back, get help with Twitter via SMS or use the email password reset option.

So if you consider email to be a weak link in identity verification/2FA, adding SMS verification as a secondary option alongside email still doesn't do anything to increase your security. In fact, even if SMS was as secure as email, forcing you to monitor two authentication methods instead of just one would still be less secure.

I'm not advocating email is perfect, I'm just advocating that SMS is less secure than email, and that since companies are already comfortable trusting email, they can continue to rely on that.

Of course if you really want to set up 2FA to literally be 'something you have', then you need to accept that things you have can be lost. And if you're not willing to make that compromise, at least email accounts are harder to hack than phone numbers, because the most common email providers are probably more resistant than Verizon to social engineering attacks.

[0]: https://www.verizonwireless.com/support/local-number-portabi...

[1]: https://help.twitter.com/en/managing-your-account/forgotten-...


You know, your reply sounds reasonable, but if you really dig in, it starts to fall apart.

> Twitter [...] So if you consider email to be a weak link in identity verification/2FA, adding SMS verification as a secondary option alongside email still doesn't do anything to increase your security.

I agree, and your comment's parent (my comment's grandparent) specifically went out of its way to agree: "as you said, many big tech companies say they have 2FA, when they really are just giving you two ways of logging in, where one of those ways is incredibly insecure."

> switching your number to Verizon only requires information that you know (account numbers, a SSN) [...] hacking two accounts is often harder than hacking one, and in practice, I suspect breaking into someone's Gmail account is harder than stealing their phone number

I think the number of people who go to the trouble of using like, a Yubikey or something for their Gmail but won't use it for anything else is vanishingly small. People opting for password + SMS 2FA (NOT the SMS 1FA that let @jack get hacked) are probably using the same thing for their email.

I'm sure it's true that it's easier to steal someone's phone number than break into their Gmail account, but afterwards you can go into Verizon's physical store with your physical government-issued ID and get your phone number back. That's not an option with a Gmail account.

No one is saying any of these are perfect, and everyone agrees SMS is less secure than email. The question is whether password + SMS 2FA is less secure than email 1FA, or whether password + email 2FA with no account recovery pathway is workable—doubtful, and definitely not.

Let's agree that out of password + SMS 2FA, password + email 2FA, and email + SMS 2FA, the first one is the weakest link, because SIM-jacking is terrifyingly easy and people choose terrible passwords. Just for account recovery, though, email + SMS 2FA still provides security benefits over email 1FA (you can guarantee a second factor, even if it's a weak factor, whereas you actually have no idea how strongly or weakly their email account is protected, you're just assuming) and usability benefits over email + TOTP apps/Yubikeys/paper backup codes.


> Just for account recovery, though, email + SMS 2FA still provides security benefits over email 1FA

Agreed, but I can't think of a single company, anywhere, that offers what you're talking about. Everyone offers SMS and email as separate options, both of which separately unlock your account.

If either Twitter, Facebook, Amazon, or Facebook required both email and SMS access to recover an account, I'd agree that there could be some value there. But (to the best of my knowledge) they don't. So the debate over whether or not SMS verification is better than nothing is hard for me indulge, when (again to the best of my knowledge) virtually no company is using SMS account recovery in a way that provides real value over 1FA email.

Maybe Lyft is an example? But the last time I used Lyft, I'm pretty sure I could get access to my account with only my phone, no password/email required. I'm not 100% sure Lyft even requires an email to sign up.

> That's not an option with a Gmail account.

I've never been in this scenario, so I'll have to take your word for it, but this seems strange to me. Could I really not fax or mail a government ID to Google to get access to my account?

Assuming this is right though, we again run into the same problem.

I lose access to my password and email. Is a company comfortable letting me reauthenticate with only an SMS message?

If yes, then we have 1-factor authentication over pure SMS.

If no, then we have to be comfortable with the idea that losing your email/password might mean losing your account, or going through a complicated recovery process involving government IDs.


> I can't think of a single company, anywhere, that offers what you're talking about

I think you're right. I thought Vanguard or my bank did, but no, it's email or SMS plus personal info like SSN, birthdate, zipcode (LOL, information that no one has on me, thanks Equifax!).

> Could I really not fax or mail a government ID to Google to get access to my account?

To what address? Just plop it down at 1600 Amphitheatre Pkwy? I've never heard of Google offering any account support whatsoever for a free private Gmail account, have you?

I do personally know people who have just given up on accounts they lost access to (they claim they didn't forget the password) and just created a new Gmail account. Not the most technically literate person, but still, that's who support is supposed to be for. But it's a free service, so.

> then we have to be comfortable with ... going through a complicated recovery process involving government IDs

What? The whole point I've been trying to get across is that unlike TOTP or email, you can get your phone number back through a "complicated recovery process involving government IDs", which as an advantage. That's not a tradeoff to be comfortable with, that's an upside.

> I lose access to my password and email.

Why would we design for this? Unless there's a particular reason to think password and email are likely to be lost simultaneously (which I can't think of, unlike say, smartphone TOTP app + phone number), then we should either design for losing any combination of 2 auth methods, or not worry about combos.

By contrast, to me it could make sense to design a system so that you can lose any 1 of 3 things but still be able to log in with the remaining 2 makes sense (e.g. password, email, phone number). But you're right that most services are effectively just email 1FA, and many are SMS 1FA too which we all agree is utterly broken.


> For comparison, switching your number to Verizon only requires information that you know (account numbers, a SSN)[0], so it's just extra steps around a less secure password that you can't change or set yourself.

Don't know in the USA but here in Europe you have to confirm/prove that you own the number being moved from one operator to another.


Yeah, this is basically the same thing that happened with social security numbers. Companies promised only to use it to verify they had the correct credit file, but +/- 90 years later it's a defacto ID that no longer has any security value.

Edit: I suppose phone numbers can at least be changed, but that doesn't really solve the problem for 2fa as it might for SS numbers.


> It is better to teach users a simple rule (never give out your phone number)

What is this supposed to mean? What is the point of having a phone number if you never give it out?

I suppose you can make outbound calls only with own number sending turned off, but that sort of diminishes the purpose of owning a phone number?


Never give out your phone number [for security purposes].

In other words, if a company tells you they need your number for account security, refuse to give it to them. Of course you can give out a phone number for general contact purposes.

I think it's easier to teach people phone numbers can't be used for security, period, then to teach them that phone numbers can be used for security in one very specific case -- especially since companies like Facebook/Twitter rarely use terms like 2FA when asking users for their number. They just say stuff like, "you'll use this to gain access to your account" or, "we'll use this to help keep your account secure."

It wasn't my intention to make it sound like users should never tell anyone their number for any reason, but I can definitely see how it might read that way.


Against Live Phishing, both SMS 2FA and TOTP are ineffective. If anything the SMS 2FA might actually falsely reassure naive users that they're not being phished.

Alice is tricked into visiting fakebank.example a site which looks exactly like Alice's real bank. She enters her username and password, the site says it will send her an SMS, behind the scenes Alice's details are plugged into realbank.example automatically, triggering an SMS to Alice from her real bank.

Alice types the SMS code into fakebank.example, it stalls a little bit, very common for banks, meanwhile it plugs the SMS code into the realbank.example site and successfully logs in as Alice. Cool. The fakebank.example site finally gives an error. "Code 418. We're sorry, this service is temporarily wormhole phasers galactic transwarp. Please try again later". Alice is annoyed but decides to try again in an hour. By then her account will be empty.

WebAuthn / U2F work fine here, because they don't give Alice the opportunity to mistake this for her real bank, the FIDO token will cheerfully mint credentials for fakebank.example which are no use to log in as Alice on realbank.example. There's no "I'm sure" step, no "Actually this is my real bank", no opportunity for human error to betray her. The bad guys still annoy Alice with their bogus site, but they don't get working login credentials.


I have a story of how 2FA over sms is worse than nothing (written as a throwaway, because I don't want a target on my back).

I had an account with Bank of America and a prepaid AT&T plan. I was about to move abroad so I went to my local bank office and asked if there was anything I needed to do to prepare for this. "Nothing in particular" I was told.

After moving abroad I opened another bank account in that country and tried to transfer my money over to said account. However in order to transfer the money out I had to enroll (I wasn't already) in sms 2FA. As at&t prepaid does not have roaming I wasn't able to enroll using it. And only American numbers were accepted. I got on the phone (a different one) with at&t to see if roaming could be enabled. "-Nah, there is no roaming for prepaid only for postpaid. -Can you sign me up for that? -No, only in a store"

Now I weighted my options. I could fly back to the US to resolve it, if I could get another visa. I could fly to Mexico or Canada where there is roaming. In the end I went with the advice the bank's support gave me: I enrolled a friends number. This does not feel secure at all, but what you gonna do?

Moral of the story: If you move abroad, better make sure your sim supports roaming, because you're gonna get locked out of stuff otherwise.


I disagree. SMS 2FA is much worse than nothing, unless a service has no password reset option via SMS alone. I believe many services do allow this, including Gmail. Barring password re-use (which admittedly is common), it's way, way easier and faster to spend 15 minutes discovering someone's phone number and calling their provider to request a SIM swap than trying to bruteforce their password via the service's login page/API.

If it's truly always 2FA, including two-factor password reset (need SMS verification code in addition to email verification code), than it's probably better than nothing. But otherwise, it's actually a major exposure you're opening up for yourself, especially if you otherwise have good password practices (no re-use, and ideally pseudo-randomly generated from a password manager).


I recently had a third-party seller from an Amazon purchase send me a marketing postcard. Item was "fulfilled by Amazon", so transmitting my address to the seller was not needed to fulfill my order.

The postcard contained a call-to-action to visit a URL. Fortunately, I was suspicious and went there in an incognito window, because it redirected to use a signed-in facebook session to send themselves a message, presumably to harvest more data about me.

I wrote a review on the product condemning this practice and Amazon removed the review as "not about the product". Quite frustrating - seems Amazon just doesn't care about customer privacy.


> I wrote a review on the product condemning this practice and Amazon removed the review as "not about the product". Quite frustrating - seems Amazon just doesn't care about customer privacy.

The way Amazon reviews works is that it combines reviews of the same product (even different variations of the same product) so mentioning anything about an individual seller in "ask a question" or "write a review" is meaningless as it applies to the whole site. It makes sense why they would take this action.


Do you know if there is a way to "report a seller" or something like that? I was unable to find any option for this in their support system.


I was going to say yes, and also show you how to review a seller, but I'm shocked to report that apparently Amazon removed any way to directly review or comment on a seller as of their latest site design. So I suppose there isn't outside of emailing or contacting Amazon support directly.

That's a real shame, because if anything I suspect sellers on Amazon have become less trustworthy in general, not more.


Ah, I poked around. They still have a way to review sellers if you click on the seller from the Orders page, but clicking the seller's name no longer allows you to rate the seller.


If you or the seller are in the EU, you could report this to the data regulator.

(One for Amazon sharing the address, one for the seller sending the unsolicited card, once more for the Facebook message without data collection consent.)


I assume the Facebook message is through a Facebook bot running embedded on the website. It won't automatically collect your data until you interact with it and that falls under the Facebook privacy policy since the individual site doesn't have access to anything more than your Facebook name and public profile picture.


You can review the seller as well as the product.


For the 98% of people who aren't high-value targets (CEOs, journalists, etc), a phone number is a perfectly adequate second factor.


Especially in the absence of a universally available, universally usable alternative. The user experience of TOTP authenticator apps, paper recovery codes, and (so far) U2F tokens just isn't there yet, and the negative impact to individuals from being inadvetantly locked out by the loss of their second factor is massive.

SMS for recovery is deeply flawed, but it's 1) better than nothing and 2) better than any current alternative for the vast majority of people.


But... the experience of SMS as a second factor is also miserable. You don't have access to it when you're abroad, you can lose access to a phone number just the same as any other 2nd factor. In fact it seems more likely because there are other unrelated reasons that the phone company might take the phone number from you, in addition to the possibility of physical loss. In addition if you need to change phone numbers it is not easy to remember all the services that have that number stored as a factor to change them all.


But you can also gain back a phone number, by bringing your new phone to the phone company's physical location and presenting ID. That's not really an option with TOTP tokens.

I mostly agree with the other points (although I don't think I'm the only one with Wi-Fi calling and SMS, even abroad).


> But you can also gain back a phone number

...at which point the attacker has already taken over all your important online accounts and changed them to a different phone number.


Not without your password. The comment I was replying to specifically referred to the phone number as a 2nd factor. This excludes services like Twitter where a phone number can be the sole factor used to reset your password (which is awful security, obviously).

Also, you're specifically talking about SIM-jacking. The vast majority of people have upgraded phones, or broken or lost and then replaced a phone, far more times than they have been SIM-jacked. What do they do about their TOTP tokens in those scenarios?


That depends on the way the phone company operates surely? You can’t do it if you are abroad, or if it’s a prepay SIM and the phone company doesn’t know your identity. Some telcos will give your number to somebody else if you don’t connect with the network for too long.


Sure, you're totally right that in some cases, physically losing a phone also means loss of that phone number. But in 100% of cases, physically losing a phone means loss of those TOTP tokens.

For the vast majority of people, that's a dealbreaker, in spite of SMS being deeply flawed, as the comment you originally replied to said.


And, unless you're willing to say "tough noogies" if someone loses access to their token/app/codes you're back to the original problem of reliably verifying identity and ownership, especially in a virtual setting where telling someone to show up at a physical location with all their paperwork is not really viable.


I think the 1Password experience for 2FA is pretty good, even on mobile. Literally just have to paste the code.


It’s a shame people don’t know how to print out paper tokens and keep them safe.


To a good first approximation, nobody has a printer.


I assume everyone does have a pen. You don’t even need to write down all the provided recovery codes; just one will do.


How would I, a human being with no knowledge of cryptography or application security, know that?


I have two objections to this.

First, I disagree that only high-value targets are at risk. I think, in general, targets are at risk for SIM-jacking. You can be a target because you're Jack Dorsey, but you can also be a target because you suddenly get swept up in a Twitter controversy, or because you run a corporate social media account, or because an ex-partner decides they want revenge over something.

A lot of our security protects against untargeted attacks because they're more common, but targeted attacks can't be completely ignored.

The second problem I have is that high-value targets use Facebook, Twitter, and Amazon, and they should be able to use these sites without worrying that their accounts are by-default insecure. We're not talking about a local library account, these are the biggest tech companies in the world. The president of the United States uses Twitter.

I think that taking a strong stance on security is important in that scenario.

I'm assuming (hoping) that Trump's account is secured with a phone-number that isn't public and that can't be SIM-swapped. But who knows, Dorsey's wasn't.


You can be targeted just for ending up in a database leak.


... until you become a medium-value target for someone (maybe in a business-related dispute), and now your email is easily hackable


I actually blame AT&T and Verizon for this. They make it FAR too easy to transfer a number to a new phone. 2FA aside, losing control of your phone number can cause all sorts of damage.

If it was harder to transfer a number to a new phone it wouldn't be that bad to use that method of 2FA for non-critical services.


Then blame the government because telco's didn't used to allow number transfering. Then consumers complained and the government made it mandatory.

/Citation needed/


They didn't allow number transfers between carriers, but they did always allow number transfers within carriers AFAIK. Perhaps there was a time when numbers were hard tied to SIMs and I'm too young to remember?


Is it really the telco's fault, though? It seems that telcos suddenly found themselves pushed in the business of identity management and proffing without haing any intention of doing that.

Telco's never made any claims about tieing your identity to your phone number - they just move information around. Blaming telcos is like blaming a hammer for not being big enough when you're tring to drive a screw with it.


It's definitely not like that at all.

It's not even really identity management. It's just way too easy to transfer a phone number. A simple protocol like, sending a text or email to the information on file and then waiting 24 hours to complete the transfer would be enough to stop 99% of number transfers.

Instead they process these transfer instantly, often using very little information to verify that the request was legitimate. You can often sweet talk the customer service reps with simple, "I forgot what information I used to sign up." They process that request and then it ruins your life and haunts you for the next 5 years.


If you hold down Alt/Option on the Fastmail security page you can enable 2FA without a phone number. Their helpful support person cautioned me to not lose my 2FA device or recovery codes :)


> Virtually the entire security industry agrees that using phone numbers for account security is an antipattern because of sim-jacking, and yet swaths of the biggest tech companies in the industry do it anyway.

From the security side, this is incredibly frustrating. Very often there's someone in product management who insists that users love SMS-factor. That it's great because users don't have to use a special app or transfer it when they change phones. They will be backed up by an engineer who swears that SMS is great because using a TOTP app is an unacceptable corporate imposition on their personal device.

Meanwhile, someone in finance quietly sobs as they pay the Authy or Twilio bill, but nobody seems to care about the opex budget.


How does FIDO fit in here?


It's a good idea. Inconveniently, it's also one that most consumers are unfamiliar with and not really prepared to implement.

This is not made easier by the hardware complexities. What if the user has a slightly dated PC (USB A), an iPhone pre-USB C, and a modern Mac?


It's not for 2fa that phone numbers are required. It's to deter spam accounts.

Though, if sim-swapping is too costly to do en-masse, then I guess it might be an effective 2fa method for an average user. But not for ones likely to be targeted.


> It was all just security theater, literally the only thing that mattered was I had access to my email and a phone number.

Don't they need a phone call to identify that it's really you by matching your voice print against Alexa recordings? ;-)


Alexa, who am i?


Apple always asks for a phone number. Google I don't think you can sign up without a phone number. Yes, it drives me crazy. I'm travel often and stay abroad often. I use different sims so my phone number changes so even if they wanted to contact me via the phone number to send an SMS or whatever they often can't. I can sign up for an internet run number but the entire point is I don't want a have to deal with a phone number in 2019. People don't call me anymore. If they want to talk they use one of the 150 messenging services that are free.


What practical ways are there for a company like Twitter to verify your identity for purposes of account restore verification without using some increasingly unreliable piece of info like phone or social security numbers?

The available alternative today is a token 2FA, which has to be setup and requires some savvy, and a number of one-off security codes which are issued at account creation and then the user must figure out how to store securely, indefinitely. Forcing this on the avg Twitter user is obviously a nonstarter.


It's certainly a conundrum. Depending upon the type of account involved, there has to be some reasonable medium between

1. Accounts/resets performed because you asked nicely and maybe provided some laughably easy-to-obtain information and

2. Showing up at the Twitter office in San Francisco with notarized copies of your birth certificate, latest utility bill, Social Security Card, etc.

And that happy medium will doubtless be both vulnerable to a determined targeted attack and a sufficient PITA for some users that they'll end up losing access to an account.


The phone number is not used for individual account security, it is there to increase the cost of creating accounts in most cases. For services like gmail, this is an important step in cutting down on spam

In Amazon's case, the real security is the credit card info. If you tried to add a new address you would need to confirm the credit card info, even if you sim swapped the account owner.


> The phone number is not used for individual account security, it is there to increase the cost of creating accounts in most cases.

Then why can I reset my password with it?

The spam issue is separate. Twitter can ask a user to give them some kind of proof that they're not creating duplicate accounts. There's nothing in that process that requires them to then take that info and make the account less secure. Once they've verified the user is human, they could just throw the number away -- instead, they use it for account recovery.

Even with Amazon:

> In Amazon's case, the real security is the credit card info.

I was able to recover my account with just an email address and a phone call. I'm pretty sure you're right that an attacker couldn't enter a new address. I'm not sure whether re-entering credit card info is required to use Amazon locker. I'm also pretty sure it's not required for digital purchases like music and movie rentals, although I guess it wouldn't be as big a deal for Amazon to refund those later.

But this goes back to the same question: if the real security is the credit card information, then why is the SMS recovery option there? It's not secure, we have to rely on other mechanisms on top of it to keep people from doing really harmful stuff. Amazon still won't let you set up a 2FA method without a phone number.

SMS 2FA has nothing to do with spam, it's just bad security. You can do spam prevention without incorporating the number into 2FA or account recovery.


Have you ever heard about Blur? It lets you mask your true identity by offering masked email addresses, credit cards and phone numbers.

The company behind Blur is called Abine. Their core service which is providing masked cards and phone numbers requires American citizenry and a fee. But IMO, it's well worth it.


>biggest tech companies in the industry do it anyway.

because it provides identity.


No it doesn't, it just provides proof that you currently have access to that phone number. Phone numbers are not identity.


Most people aren't walking around with one time phone numbers, they have a phone number that's shared by family, friends and co-workers that will consistently resolve to the same individual whenever someone wants to connect.

Being a unique number that is tied to a single individual, it can function as a proxy for identity. This, obviously, assumes you are operating like the average user.


There are plenty of attacks where some random person can get hold of any phone number for a few seconds. It is not a proxy for identity, as it's available on demand for the exact people trying to impersonate you.


Regular people don't "have" or control any phone number, telcos do.


So, then, the only option is multi-factor biometrics. Everything else is just "not identity", right?

And even then, biometrics can't usually differentiate between twins.

For twins, there is arguably no way for software to demonstrate identity, ever.

Social security? Proves you're holding a card.

Biometrics? Proves you're one of multiple with these exact genetics.

Etc. I literally cannot think of a way to definitively and authoritatively tell twins apart in software.


I have a public/private key-pair from my local government. Comes with my passport and is guaranteed by the gov to represent a single person only.

Although, I wouldn't want to give the public key to google/amazon/facebook/twitter :)


In the twin example, what is to prevent your twin from taking your documentation and receiving a public/private key in your name?

Or simply access that key of yours and use it?

The public/private key only prove you hold the keys, not that you are you.

Not identity, just proves you have access to the keys.


What happens when you have a "proper" second factor and lose it?


The consequences of getting locked out of my bank account because I've lost my 2FA method are pretty bad -- that would be a major inconvenience.

They are better than the consequences of getting locked out my bank account because someone stole my phone number -- especially since the first thing someone who SIM-swaps will do is change the recovery number to point to a separate phone they own. I'll have to go through the exact same recovery steps, just with the added pressure of having money siphoned from my account.

Most 2FA app setups come with one-time backup codes that you can write down in paper and stick inside a safe or your wallet. If you don't think customers will do that, and you're still worried about account recovery, using email instead of SMS is preferred. For all the crap I regularly give Google, their security team is top-notch, and I generally trust most people's Gmail accounts to be more secure then their phone numbers.

The only scenario I can think of where a service couldn't rely on email for account recovery is if you yourself are an email service like Fastmail.


A big difference is your bank (likely) has a physical branch where you could show up with your ID card, debit card, etc. the inconvenience can be addressed directly if there’s an emergency.

For online only businesses there’s no escape hatch.


In my specific case, I use an online-only bank. But I'm being petty with that objection, my bank still has enough information about me that I could verify my identity via a combination of a scanned ID card, proof of residence, etc... In general, point taken, that's a good distinction for most people.

However, substitute 'bank' out for any online-only service and the problem persists, because any reasonably smart attacker who SIM-swaps my account will still immediately change the phone number to point to themselves. If my Amazon account gets hacked, and the attacker goes into account recovery and changes the phone number, Amazon still needs a non-SMS based escape hatch for me to get the account back. The problem hasn't gone away.

So why not just use the non-SMS escape hatch all the time?

In Amazon's case, if they don't have your phone number they'll do account recovery over email. That's almost strictly safer, and just about as convenient as SMS.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: