Hacker News new | past | comments | ask | show | jobs | submit login
Phone Numbers Must Die (2019) (devever.net)
44 points by adamrezich 15 days ago | hide | past | favorite | 68 comments

This reads like someone who turns off Javascript in their browser and then complains when every website doesn't bend to their niche use case.

There are other oddities: The author complains about the security of SMS verification, but then goes on to complain that even more incredibly insecure workarounds don't work. And then the author attempts to be in some sort of position of authority about the reliability and other aspects of the network and carriers, while fully admitting that they don't even have a phone number or smart phone.

There are certainly valid complaints around SMS verification, networks, and carriers, but this article seems out of touch.

For all their faults, phone numbers do provide some limited level of identity.

If you provide me with a phone number +12121234567, and I send you a unique code via SMS / voice call, and you provide the code back, and I haven't had anyone else register with that phone number, I can conclude with some limited degree of confidence that:

1) You are a human.

2) You are in the United States present, or usually are.

3) You have money and an address and are capable of buying things (after all, you have apparently succeeded in buying a phone and maintaining an account).

4) There's some prospect you could become a customer, or a vendor, and we could do business.

If you give me an email address john@example.org, I have none of those assurances, and it's entirely likely that you are not a human, or are a human overseas who is in the business of scamming people.

Sure, someone can get access to phone numbers anonymously, from overseas, or to scam people, but it's enough of a minor hassle (for all the reasons listed in the post) that they tend not to.

It's like if someone walks into your shop/restaurant in a disheveled state, unshaven, and with body odor, versus in a suit and tie and recently shaven and aftershave. The latter is rather more likely to be someone you'll want to do business with, even though there's always the feint possibility that the former is actually a billionaire playing an elaborate trick on you.

It easy to imagine an improvement on phone numbers for providing this limited level of identity verification, but email addresses aren't it.

True, they do provide a level of identity, albeit imperfect. But it's good enough that I don't give my phone number to companies outside of very limited circumstances (to keep my number from being sold or used for marketing purposes).

> If you give me an email address john@example.org, I have none of those assurances, and it's entirely likely that you are not a human, or are a human overseas who is in the business of scamming people.

Wow, "entirely likely" — what do you base that estimation on?

Your analogy to a walk-in is completely on point too: surely only people in "disheveled state, unshaven, and with body odor" would sport an email address and think that's a good representation of their identity on the internet.

I've conducted business with a bunch of US companies, sometimes shipping to mail forwarding companies based in US to forward stuff home (eg. that's how I got my last few $2-3k laptops). Businesses that build in some silly protections like the phone number in do not get my business.

For us who've been using the internet long enough, phone number is a weird requirement: Google and eBay keep asking me to confirm my number upon login for 15 year old accounts (with eBay there's even no recourse on the page, but you do get logged in, so you can just reload the page you wanted and the screen is gone).

For the same reasons you listed you won't receive my phone number unless I'm buying a physical product from you and the phone number is required by the shipping company. Whenever I see an online form that requires a phone number, I just close the tab, simply because I hate people who interrupt my life with what they consider important and I don't - and the sale could have been closed without all this hassle.

You do realize that children/minors have phones which have numbers, right? Your conclusion (3) is not valid.

Even children typically have some money. Not a lot, yes, but some, however, not all people who have phone numbers have addresses, as even homeless people will utilize cheap prepaid numbers or take advantage of programs designed to provide cheap cellphones to the needy.

Phone numbers suck, but they are the closest thing we've got to a universal address type that can reach any person.

More people have telephones where they can be reached than email addresses.

More people have telephones where than can be reached than mailing addresses.

Yes, delivering SMS globally is a shit-show, voice calls is better but also filled with terribleness, but so is everything else.

> More people have telephones where than can be reached than mailing addresses.

Wow, I’ve never really thought about this. Any idea where I’d go to get (I assume very rough) numbers on people with addresses vs. phone numbers?

Not sure if you can find stats, but many countries simply don't have a mail service infrastructure, but darn near everywhere has phones. Even North Korea has phones, although there are administrative barriers that prevent calling between most domestic NK numbers (+850) and the rest of the world.

Rural postal service gets pretty iffy in the US, and in countries with less resources, you might only get mail service in big cities.

I would imagine NK postal service works well.

I would imagine that postal services work decently well even in the poorest of countries and only war-thorn areas are less accessible by post.

I am not talking of next-business-day services, of course, though they are picking up everywhere too.

That's probably true, but everybody partaking in "the internet" has an email address too.

Author focuses on the fact that internet-only businesses are stsrting to ask for a non-internet identifier.

You might think that, but not really.

For people who are getting onto the internet with their new smartphones in 2021, they may not have an email.

Yes, it's hard to use google play without a google account, but they may skip that, or have a young person fill that out.

If you made it this far without email, you're unlikely to start now.

I think in most such cases an email account has been created -- but it's never used.

> When Google demands an E.164 number, they're not demanding it despite the fact that E.164 is a somewhat closed, opaque network, but because of it. Basically everything bad about the E.164 namespace and its constituent organizations is precisely what makes it attractive to organizations for use cases like these.

That is kind of the point isn't it. Despite all its shortcomings it's a useful identifier because of its scarcity.

Btw, the domain name system and x.509 would not work either without scarcity and trust delegation.

In fact if I remember correctly some newly re-imagined digital 'networks' like Urbit also opted for scarce identifiers, because they work out better economically.

I'm not sure I follow. Domain names are not meaningfully "scarce", unless you mean in the sense that you pay for them. But even then domain names are not "scarce" because one domain can support an effectively unlimited number of subdomains, and free providers of subdomains exist.

I was just trying to make a point that scarsity and usefuleness are related. In the case of domains the scarcity comes from name recognition and the cost of registering not just in terms of money, but also in terms of process.

Perhaps the point is not what the technology allows, but the status quo around what constitutes an 'acceptable' form of identification. Whatever the solution (for personal identification) it needs to be somewhat scarce, but also ubiquitous. But different applications need different level of scarcity. Phone numbers just seem to be the right balance for social media.

Good, semantic, short, memorable domain names are scarce. You pay though the nose for them. Arbitrary subdomains on free subdomain providers are not the same as having "FirstnameLastname.com"

But this has nothing to do with anything I complained about. I don't recall complaining about the scarcity of "designer" phone numbers (for example), just that it is a closed system relative to email. The complaint, amongst the others made, is that I can't own my own identifier, not that that identifier might be unfashionable.

Many countries have number portability meaning you can take your number with you to your new provider, it would be ownership in the same way as a domain address.

I'm aware of portability. This doesn't create ownership, it simply seeks to alleviate the most common pain point around the fact that numbers aren't owned. It's not the same thing as ownership such as regards a domain name. Telcos can allocate numbers as they please, much as ISPs or web hosts can allocate IP addresses as they please to your services but this doesn't make you the owner of them. Fortunately, nobody uses IP addresses in their email addresses (though it is allowed).

They can allocate it but that's got nothing to do with ownership that's customisation. In practice you basically have ownership in that you are able to move it around with you to whichever provider you want.

My problem with a post like this is it’s actually very easy to agree with the points made because no system is perfect. On the other hand I don’t think the author is ever proposed a better solution which means it kind of just makes you feel bad. Maybe that’s the first step of progress?

I have a phone number. I never pick up the phone, it doesn't even ring, but I will happily provide it if I have to. I can get SMS verification messages. I don't think I understand why one would feel so strongly about it.

What's the advantage of not having a number, over having a number that doesn't make your phone ring?

I am basically forced by my bank to own a mobile phone, and to me it's completely useless. I would gladly avoid to carry it with me in my travels. It lies somewhere at home: I don't go out with my phone, as I don't need to use internet banking that often, but it's annoying enough. But when I forget it to carry it with me when i travel, I am kinda screwed. And it's not like SMS verification improved the safety of anything...

Also: getting those stupid SMS codes when you are in another continent, it's basically impossible. So what's the point of all of this?

Author here. I also had this issue and switched banks to fix this, as I also wrote about: https://www.devever.net/~hl/phonebank

A lot of banks are offering photoTan. You get a special device just for generating your photo tan. It's more secure than sms tan and you wouldn't need a mobile phone anymore.

I know you said travels metaphorically but I'll point out that you pretty much can't travel without a phone number right now. It's absolutely required even for the vaccinated for contact tracing purposes on most modes of long distant transport (boat, plane, train) and for hotel stays and at border crossings. It's not at all optional. I'm currently travelling (I figure since I'm vaccinated I'm not being unreasonable by taking a holiday right now). Every flight and hotel has required a number.

The author may as well live in the woods in a faraday cage with a tinfoil hat at this point.

I wholeheartedly agree.

For security purpose, email or any 2 factor authentication system is better.

For providing uniqueness, as already proven by the current market, it's easy to get a new number for free and bad actors can automate that for a price.

I would say if you're doing a service where uniqueness matters, you should rely to government documents verification (eg. https://identity.stripedemos.com/, 1.5$ per user), which, unfortunately, we're all required to have.

That said, no big tech exec will listen to this.

It's not all bad, I don't really need one more reason not to use Twitter or Google.

The phone number is probably the best worldwide ~1 to ~1 identifier. I say keep it, for now at least.

I don't know about most, but a lot of people have more than one phone number.

I have a personal mobile number, a personal mobile number from the country I used to live in, and two work numbers. If I take a longer trip somewhere, I might have another mobile number for a few weeks.

I don't have one now, but landline numbers are generally shared between a whole household.

And what unique identifier do we replace it with? Specifically, we'd need one that offers universal interoperability between platforms, countries, devices, platforms, digital/analog and human memory. A different ASCII code perhaps? One shorter but serves no other purpose and creates a whole bunch of interoperability problems. This is like trying to replace the metric system.

Author here. Email addresses work fine.

How so? Literally everything you wrote applies exactly the same if you s/E.164 number/email address/g and s/SMS/email/g

No it doesn't. E.164 is a closed system in which I cannot own my own identifier, in which interconnection is based on an outmoded billing system based on the now false presumption of a circuit switched architecture, and any ability to contact other entities relies on the prior negotiation of some kind of contractual agreement with a carrier, whereas email permits agreement-free federation.

Yes it is. The same thing applies to both domain names and IP connectivity. You have to pay one of the small number of domain name providers / transit providers to register / transport your domain / BGP announcements for a regular fee. Sure there are multiple registrars / transit providers that you can deal with, but each TLD / region is overseen by a monopoly entity that can increase prices pretty easily. If you don't pay your registration fees for use of that unique identifier, you lose it.

I can get E.164 numbers for $0.85/month from a VoIP provider, which is comparable to the cost of a domain name. There are plenty of VoIP providers that can port phone numbers from landlines or cell phones to VoIP. There are more similarities to domain registrars than differences.

And everything about this is a million times better than E.164. Whereas you pay for a number from a VoIP provider, this does not make the number "yours". Domain names are registered in one's name (and sometimes traded for substantial amounts of money). There are certainly things that could be improved about the domain name industry, but it's still better than the E.164 situation.

The number you get from a VoIP provider is also at substantial risk of being in a "ghetto", whereby it mysteriously cannot receive verification code SMSes, or is discriminated against by tech companies who want a "real" number, etc.

The domain isn't "mine" either. If I don't pay for it, I lose it. If someone sues me for trademark infringement, I can lose it. So long as I keep paying my bill, the phone number is mine, and even better is that the interaction with telephone carriers is highly regulated, and the regulations have withstood the test of time extremely well. Even if I fail to pay my bill one month for a phone number, I have the assurance that the carrier cannot just throw my number away on a whim as is the case with the business relationship most ISPs have with their customers. Walking away from E.164 means walking away from decades of consumer protections enshrined in telecom regulations, and that's a pretty major loss.

The perfect counter example is how email addresses are treated. The vast majority of consumers went with email addresses provided by their internet providers when they signed up 20 years ago. As a competitive ISP, there is no process comparable to Local Number Porting available for email addresses. I have potential customers who have run their business through somename@bigtelcoisp.com for so long that they refuse to change ISPs because they are unwilling to change that email address. If emails were regulated more like phone numbers, end users would be able to change ISPs and get a forwarding record. That is absolutely not the case for IP addresses and email addresses. That's a pretty major hole that you are ignoring.

The biggest difference technically is that with email, you can register your domain name and have control of it (and you even have the freedom to move between registrars).

With a phone number, legislation was required to enable some of that (keeping a phone number when switching operators). It still does not work across countries, for instance. With legislation, email forwarding could be just as simple indeed, but at least you can solve that problem once yourself!

Basically, for all its problems, email is a technically better solution.

There are practical problems with email too: Gmail will frequently put my emails into spam folders of recipients because my mail server doesn't send enough emails regularly to be treated as trusted server (perhaps I need to start spamming my own gmail accounts :)).

I've had my domains for years (15+) so the risk of losing them is mostly theoretical (other than forgetting to pay and lack of consumer protection past 1 month due to domain squatting).

The same is true with phone numbers. You can migrate a phone number between carriers via Local Number Porting.

The percentage of people that register their own domains are in the minority, and probably are a very small minority. The bulk of the public use domains controlled by their email provider, and they have need of something like LNP.

If email had a process similar to LNP to migrate addresses between providers, I'd agree with you, but it doesn't and nobody is pushing to do that either. Technically it would not be that hard to do. I'd love it if there was a redirect mechanism where attempts to deliver to a ported email address returned an SMTP code telling the sender to deliver a given address to another MX record. Email forwarding as currently implemented is absolutely awful as much of the information about the original sender (like IP address) is lost.

I agree with your point on the number being a pain in the ass when it comes to authentication and yes an email is quite handy to remember, however these two aspects are often at odds. The outdated and often heavily regulated telephone system works as a sort of ambiguous verified identity whereas an email wouldn't function like this. The ease with which you create an email address means it's more difficult to verify you are a legitimate person. Whilst there are spam calls, the vast majority of emails are spam (>80% or something). Can you imagine if 80% of your calls were spam?

> Can you imagine if 80% of your calls were spam?

Don't have to imagine. Maybe not quite 80%, but probably most of them are.

I'll be presumptuous and say you don't get many calls, understandable in this day and age.

If not, think you need to push for increased regulation or enforcement wherever you live if that's the case. Elsewhere regulation means it's sort of an identifier and fundamental changes to the role of domain registers would be needed to make email a feasible alternative.

I don't have the energy or inclination to push for regulation. If or when someone invents a ubiquitous communication channel that's not overrun by spam, I'll happily pay money for it. Until then, I'll be cursing at my phone and blocking numbers.

I enjoyed your article.

Poor title. Should be "Don't make me provide a phone number"

is it? a good portion of the post is spent explaining why E.164 isn't that great and why the author thinks it should be phased out.

I think you can sign up for a google account with any android device with google apps on it. Presumably that can be without a phone number if it's just a tablet.

Author here. Amusingly I tried that once with an Android VM; it accepted the input and tried to proceed, then failed with an unexpected error, implying the developer of the application hadn't anticipated this. The account entered some half-created state in which attempts to login with it on the web demanded a phone number.

Interestingly I am also now locked out of an old Gmail account I have had since 2005 in the same way; any attempt to merely login to it yields a demand for a phone number. There is no phone number filed for that account, so this cannot possibly be for "security". It is literally an attempt to extort a phone number out of me if I want access to my own data. One suspects this is probably against GDPR, of course...

I avoided to setup Two-Factor Authentication (2FA) with mobile phones anywhere because i had the distinct impression I was making the surface of attack bigger instead of smaller.

SMS 2FA always makes an attack harder than no 2FA at all because an attacker needs to also intercept your SMS messages in addition to getting your password instead of just getting your password. Given that getting your password is required for both attacks, the addition of needing to intercept your SMS messages is an additional hurdle. It's just potentially not as good as physical token 2FA where the additional requirement is physically finding you and beating you up. I think you must be confusing SMS 2FA with an SMS 1FA override, which is not the same.

The trouble is there appear to be many services purporting to provide SMS "2FA" which make the bizarre assumption that SMS is more secure than email and allow you to recover access to your account purely via access to that phone number. For these services adding a phone number may indeed actually reduce account security.

There have been real incidents, including in the last few years, of high-value accounts of people being successfully hijacked via the hijacking of their phone numbers.

Maybe but that's a problem with those services, not a problem with SMS. If they cared about security they also wouldn't allow password recovery by email, because history has proven that email is also not inherently secure. Peoples' email accounts get hacked literally all the time.

Every single practical problem that your post ascribes to SMS also applies to email. Approaching 100% of all email addresses in the world are not permanently attached to individual people and are entirely subject to the whims of entities like Google.

This is a defect with the email service provider or user's security practices, not the email system. A well-run email system provides far greater security than SMS.

"Approaching 100%" is not "the email system". This is not a systemic issue with the design of the system itself and the system remains open. Personally I run my own email, yet it is not practically feasible for me to "run" my own telephone number in the same sense.

> A well-run email system provides far greater security than SMS.

A well-run SMS system provides far greater security than SMS. Instead of comparing a well-run email system against a poorly-run SMS system, comparing well-run versions of both would feel like less of a straw man.

No it doesn't. The architecture of SMS more or less precludes this (which I have been meaning to write about, maybe soon). Moreover, people can choose their email provider to a far greater extent than they can choose their phone number provider, where they're likely to be limited to choosing from a limited number of carriers in their country, probably all of which have poor security practice; whereas email providers with good security practice exist and can be employed by people in any country.

> The architecture of SMS more or less precludes this

Maybe a particular technical representation does, but that's not a strong expression of whatever case you're trying to make. Nothing about sending text messages using phone numbers as identifiers necessitates or demands insecurity. Signal uses phone numbers as target identifiers for text messages too. Nothing about the phone number has any bearing on the rest of the chain. Nothing about sending messages necessitates sending them insecurely. Nothing about sending messages to phone numbers necessitates it being easy to steal phone numbers.

You could write three separate articles titled "I think all text messages should use encryption" and "I think I should be able to have my own identifier/namespace" and "I think it should be harder for someone to steal my identifier", but those issues have nothing to do with each other. And not only is only the most pointless one (choosing your own identifier/namespace) addressed by using email addresses, you're still living on borrowed time at the whims of domain registrars and DNS.

Signal's use of phone numbers is an absolutely terrible practice and is one of a number of reasons for which I condemn it. In particular, Signal's use of phone numbers cannot be independent of SMS routing as you propose, because Signal must have some way of verifying that someone actually controls a given number, i.e., by sending messages to it. So however Signal anchors cryptographic identities to phone numbers, it has the telephone network's routing infrastructure as its ultimate anchor and thus as its Achilles heel.

> Signal's use of phone numbers cannot be independent of SMS routing as you propose

I didn't say anything about how Signal decides on routes. I said that Signal uses phone numbers as identifiers. If Signal wanted to make you verify "ownership" of your identifier some other way, that would not change anything about the nature of the system other than its ease of initial setup.

Both sending a message to a phone number assigned from a phone number registrar and sending a message to an internet domain name assigned from a domain registrar are sending messages addressed with identifiers assigned by registrars. Even if the implementations themselves differ, those differences are not condemnations of the principle of sending messages to identifiers. And it looks bad when you start using arguments like "phone number registrars are more gullible than domain registrars" as if that's not entirely circumstantial, speculative, and un-intrinsic to the technology or the business.

So what is to stop me from signing up for a Signal account using your phone number? It's patently obvious that to use phone numbers as identifiers you have to prove control over them at some point. That involves the telephone network. Thus any service which uses phone numbers to identify people necessarily inherits the security issues of that network.

Edit: Yes, and I'm saying that the latter can actually be secure.

> That involves the telephone network.

No, you misunderstand me. The reason I didn't say anything about the transport mechanism is because it doesn't make a fundamental difference. People hijack domains and internet packet routes through both technological and social engineering attacks literally all the time. None of the complaints in your post have anything to do with any essential or necessary characteristics of phone numbers or phone networks or phone service operators.

Email messages are routed to your domain by a gentleperson's handshake agreement between networks outside of your control plus a little bit of government regulation in exactly the same way that phone messages are routed to your phone by gentleperson's handshake agreement between networks outside of your control plus a little bit of government regulation. All possible arguments about routing trust being violated apply equally to both networks. All possible ideas about layering security on top of the network, like e.g. TLS handshakes, apply equally to both networks.

> It's patently obvious that to use phone numbers as identifiers you have to prove control over them at some point.

Signal doesn't ask for your phone number to prove the network path for your messages. What they're trying to assess is whether some entry in someone else's contacts list can be associated with your identity. If they wanted to, they could ask you to show up in person with a valid phone service contract and let them set up your client account directly. People just wouldn't bother to use Signal then.

> So what is to stop me from signing up for a Signal account using your phone number?

The same exact things that stop me from signing up for things using your email address. I could get someone to route requests for your domain to my servers if I had sufficient criminal intent.

I’d go further and say telephony itself needs to die.

the chronological billing model borne of the economics of circuit-switched telecoms is kept alive as a facade

Frankly I prefer it that way. I don't want to have to feel guilty every time I use my phone. The cost of my typical monthly usage could drop to five dollars and it would still force me to constantly think about whether what I'm doing is "worth it". Maybe I'm just a weirdo but I don't need that stress in my life.

When you make a phone call, on a circuit-switched network, you are tying up a circuit for the duration of that call. No one else can use that circuit, or slots on the T1/T3 etc. until you hang up. Resources need to exist in case you ever make a call that no one else can use.

With packet-switched, your call isn't typing a circuit, just a small portion of speed, and once your call ends, someone else can use it.

You need more lines to support circuit-switched networks than packet-switched networks.

So you should feel more guilty using circuit-switched technology than packet-switched technology.

Fortunately I think a lot of providers once you are out of the "last mile" to your house or business are using SIP even if internally. Where I work I'm seeing things like SIP over T1 instead of PRI.

That's all true but it's completely unrelated to what I was saying. My point was that I would rather pay a flat rate for unlimited data than pay per unit of data used. I like the freedom of using it however I want. I like not having to think about whether, for example, watching a video in 1080p is worth the extra ten cents over watching it in 360p. I just don't want to feel bad for treating myself to the best experience.

You can only make more calls over packet switched than circuit switches if the packet switched network is cheating: silence elimination is common, compression is also common. If you're comparing PRI to SIP over T1 without silence elimination and using uLaw, results are going to be pretty similar. Maybe you get a benefit with SIP because you eliminated the control channel of PRI, but you also increased latency and jitter and lost clear overload behavior (all circuits busy) in favor of degraded calls on overload.

Of course, it's a lot easier to multiplex SIP with other IP traffic, I don't think you can split a T1 as a couple PRIs and the rest IP, and even if you could, you probably couldn't do it dynamically. Having a system where data can use the bandwidth when you're not making calls, and calls can use it when you are is pretty valuable.

I've been wondering when we will collectively move past the notion of "phones" in general.

Nothing else is as close to being so widely-available and easy to obtain for almost anyone, almost anywhere, and usable by as many people. I don't see anything poised to replace it as the LCD of near-instant communication.

Applications are open for YC Winter 2022

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact