Phone Numbers and Identity

And why conflating the two is not a good idea.

Using a phone to verify identity - eg. when signing up for a service online - is quite common these days. This typically happens by sending an SMS to your phone with a code that you type into the website - two factor authentication.

One reason companies do this is to make it harder for people to create throwaway accounts to spam the service, although this is often done also for security.

While this may help companies fight spam, 2FA with phones does not actually make your account safer for a few reasons:

  1. You don't own your phone number, your service provider does. And they can lease it to someone else in accordance to their terms and conditions. I learned this the hard way when my phone company leased my number to someone else after I moved countries. The new person got all my messages from my bank, tax, and every other service I signed up for. Most services also won't let you change your phone number without first sending a confirmation SMS to your current phone.
  2. Phone numbers are vulnerable to social engineering. A good social engineer can impersonate you, claim you lost your phone, and convince customer service to transfer your phone number directly to their phone. Customer service refuses? Try again in a few hours to get a different agent, and continue till someone agrees to the request.
  3. If your phone is set to display the message text on the lock screen, any code can be read over your shoulder without even having to unlock your phone.

Overall, using a phone number to confirm identity is dangerous for all these reasons. If your phone number should happen to be compromised fixing the situation can be extremely difficult.

On the other hand, using a dedicated security device such as a Yubikey for 2FA makes your account much safer.