Phone Numbers and Identity

And why conflating the two is not a good idea.

Using a phone to verify identity - eg. when signing up for a service online - is quite common these days. This typically happens by sending an SMS to your phone with a code that you type into the website - two factor authentication.

One reason companies do this is to make it harder for people to create throwaway accounts to spam the service, although this is often done also for security.

While this may help companies fight spam, 2FA with phones does not actually make your account safer for a few reasons:

  1. You don't own your phone number, your service provider does. And they can lease it to someone else in accordance to their terms and conditions. I learned this the hard way when my phone company leased my number to someone else after I moved countries. The new person got all my messages from my bank, tax, and every other service I signed up for. Most services also won't let you change your phone number without first sending a confirmation SMS to your current phone.
  2. Phone numbers are vulnerable to social engineering. A good social engineer can impersonate you, claim you lost your phone, and convince customer service to transfer your phone number directly to their phone. Customer service refuses? Try again in a few hours to get a different agent, and continue till someone agrees to the request.
  3. Using (illegal, but easy to set up) fake cell towers (eg. Stingray), hackers can intercept 2fa messages. The phone network infrastructure is not as secure as is widely believed and these sort of hacks have already been carried out.
  4. If your phone is set to display the message text on the lock screen, any code can be read over your shoulder without even having to unlock your phone.

Using a phone number to confirm identity is especially dangerous because it provides the illusion of security without actually providing any guarantees. It potentially weakens security because if your phone number should happen to be compromised fixing the situation can be extremely difficult or even impossible.

On the other hand, using a dedicated security device such as a Yubikey or using a dedicated app such as Google Authenticator for 2FA vastly improves account security.

To sum up: Always enable 2FA either with a hardware device (eg. Yubikey) or an app such as the Google Authenticator and do not rely on SMS messages to provide the second factor.