I still dont understand this, if SIM Swapping were the problem then it isn't SMS 2FA that is insecure, it is the telco themselves, and specially US Telco.
In many other part of the world, Switching Sim ( SIM Swapping ) requires to show proof of identification, as well as written form and signature.
And any CS accessing customer information are instantly logged, there is no way paying $1000 dollar to change or SIM Swap without going through the proper procedure, ( Should there be one ) and they will be fired for any misconduct.
SMS might not be the best solution to security, but for average Joe, that is near 4 billion of Smartphone users they are better than nothing.
May be had Apple created their own MVNO this problem could be solved.
For the purposes of 2FA implementations it doesn't matter why SMS is insecure, only that it is insecure. Since it's probably not within your power to force your telco to change their insecure business practices, avoiding relying on them for 2FA is your only alternative.
Exactly this. Also want to add that phone numbers were never really meant to function as identity providers. For this reason I think it's important not to use the real number on your cell phone for anything -- VOIP numbers are best if the only method of 2FA offered is phone number.
I agree the problem is that implementation of a backup for 1FA ends up coming back to the phone. But often the target service has no certainty of which mechanisms are going where.
They send to your email.. They use TOTP. They use Oauth, etc, etc. What other things accounts go back to either your SIM or someone stealing your phone, SIM and all?
Even U2F will fall down this hole soon since everyone wants to implement it on phones! Will the attestation certs for phones say multipurpose device that is probably involved in other factors?
By the same logic, no company should ever be held responsible for harm to users of their products caused by product defects: after all, they never made any claims regarding their products being safe to use.
I mean I think the ship has pretty much sailed on this one but I think they've got a case when companies just started using "can receive a text at a given number" as a security verification which suddenly made it the telco's problem to make sure such a thing was secure when before it was a more informal system.
Normal defects are 'easy': you have a contract to obtain a product or service with certain features. If the product or service doesn't have those feature, it is defect and failure of the providing party to comply with the contract.
Of course, no phone contract says anything about securing SIMs (for the purpose of authentication). So it cannot be a defect.
Safe to use is often in relation to bodily harm, which doesn't apply in this case. Outside any specific law, if you use an unencrypted text messaging service between subscribers for authetication purposes, then you are on your own.
In this case, the actual harm is caused by the companies that decided to use text messaging for authentication purpose without verifying that the underlying service is fit for porpose (or having a contract with telcos that explicitly lists this purpose).
Of course, nobody is going after twitter to recover damanges from them.
Sure and Ford never promised cars that wouldn't explode on a rear-end collision
Telcos have a very poor service for the extortionate prices they charge. At some point your phone number is tied to your identity and should be secured as such (ah but nobody cares about that right?)
That's rather bizar logic. An obligation to keep something secure comes either from a specific law, or from something specific in a contract.
The fact something is important to you, and you failed to negotiate that in your contract, doesn't mean that the company providing the service is somehow required to take that into account.
You're telling me that offering a service comes with no guarantee of the service? If I'm paying you, but you're no longer providing the service to me, but to some third party, how is that upholding the contract?
If you order food in a restaurant and someone takes the food from the waiter before you can have it, what would you want the restaurant to do?
The service is that you can receive messages. The service is not that you are the only one who can receive those messages. If someone commits fraud and obtains a SIM with your number then the telco is in general quite willing to correct the error. Maybe they will even given you an extra copy of the messages that were lost.
It's like going to a fast food restaurant and later complaining that the meat is of low quality.
This is really twisted logic you're trying to use.
If I entrust my email to Google, them having corrupt employees who give my email to other people would be a serious issue, for security, privacy and a myriad of other reasons. This is exactly what's happening at phone companies.
I agree with you if you are saying Telcos have no economic incentive to take any security posture for their customers. Regular users cannot fathom that the service they pay for is somehow able to be manipulated and that their communications can be redirected arbitrarily without legal order via technical means.
It is known that there are security issues with ss7 specifically [0][1][2] and the global telecom network was, it seems, never secured. I would conjecture that there are some other problems with mobile phones[3] some that we are not aware of.
I also am in lock step with your claim that this should not be surprising.
Telcos are indeed not paid for security. The security of the telephone network must not be counted on. In fact, military and government business must often be executed on special non-public phone exchanges or SIPRnet. Telcos do not offer any security guarantees, and are rather obstinate toward any demands such as this. Negotiating a more secure service is impossible.
>So it is rather odd to hold telcos reponsible for the failure of some security mechanism they where never part of.
It is certainly not odd. If the general public wakes up and their assigned phone numbers are meaningless, all of their customers will be unhappy, it simply wouldn't pass the sniff test of a 6-year-old.
However, there is positively no incentive for anybody to shop for security in this space. Few living people believe or can even fathom that there could be a problem with using their phones in this manner. Despite the public fraud[2] that has been enabled by the Telco's apparent lack of any security engineering, the market is not providing any security mechanisms for this, I would imagine in part due to the concessions on interoperability made during the development of these global telco protocols.
There (appears to have been) zero work done for the security of this critical system. Customers do not recognize any possible threats, telcos have no interest in improving their networks in this regard, the US government has developed a nickel allergy towards telco regulation in the 30 or 40 years following the 'Bell conclusion. Finally telco's don't care to change, and if they did there would be decades long disputes regarding implimentation.
No, it is wholly unsurprising to find an entrenched, obstinate partner in this field.
Various countries besides the US (often other "Anglo" countries) don't require any identification to get a SIM card, while as you mentioned some countries require identification and sometimes even more steps like physical address verification. In my experience as a tourist, these additional steps are sometimes unnecessarily complex and are often somewhat of a hassle.
An argument can be made that this hassle is worth it for security concerns (which is what they often tend to be sold as) but personally I find it less reasonable for preventing against SIM swap hacks when there are many alternatives to SMS 2FA.
You can also show fake ID at a competing telco sales point and tell them you want to move the number in Sweden. Happened to me that depending on which provider the call was coming from, sometimes it would reach me and sometimes not.
No, In addition to what you have mentioned, and sibling comments have noted about implimentation, it is SMS that is (has been? --But i can't find info if this has been remedied) insecure as well. This is the "SimJacker" whitepaper describing technical means of hijacking among other games.
> it isn't SMS 2FA that is insecure, it is the telco themselves
I have some rope at home. The manufacturers specify it's blue, 8mm, polypropylene and for 'general use' but they don't say anything about its strength. Cost about $5.
If I lift something with it and it breaks, is it the rope's fault, or my fault for selecting the wrong rope?
SMS is the same way - is sim jacking the telco's fault, or is a company using SMS 2FA as dumb as lifting a piano with my $5 rope?
Is it acceptable for anyone to be able to just walk into a store and hijack your phone number? Guess it’s just your fault your grandma now gets to talk to a crook when she calls you.
haha ;-). Yes, you need a signature and legal document, both checked by your random, always late and in a hurry EMS courier when receiving the new SIM package. Same when starting new CC.
I wish. Mine just removed the SMS option. I now have to install an App that wants full telephony access. And is obviously only available in the google play store, requiring me to accept google terms.
Is it safe? I don't know. Doesn't seem to be a widely used standard. Haven't found technical details. Only a mention of "cryptography" in the marketing material. So yeah, I don't really feel much safer.
I think SMS 2FA is fine for the most part, so long as you have a decent password, the problem is when companies introduce recovery numbers and make it back into 1FA
How is it fine for the most part when it’s been shown that thousands of employees working at the mobile network have the ability to forward your number thereby rendering the 2nd factor useless?
More importantly, there simply isn’t a reason why TOTP, a superior actually secure 2nd factor that doesn’t rely on a third party, can’t be offered, unless you want to force the user to cough up their phone number so you can track them.
TOTP is great for you and me, but the average Joe totally does lose their phone and get locked out. Forget recovery codes, what the hell are those, they can’t even keep track of passwords. Authy provides encrypted backups you say? See “can’t keep track passwords”.
Don’t even get me started on physical security keys. I could hardly even convince myself to use one, let alone always having at least one backup. Imagine asking my mom to do that.
At the end of the day, the average Joe needs a recovery mechanism that’s not tied to their memory and doesn’t make their everyday interactions a pita. Phone number is just one step below government IDs (which people would be uncomfortable to supply for most sites) and the challenge response could be easily automated, making it ideal. It’s being ruined because of the incompetence of telecom operators.
I wonder if requiring physical appearance with government ID for a SIM change, and making fraudulent SIM issuance a fireable offense would drastically cut down on SIM jacking. (Before anyone points it out, I do envision fraudsters applying for telecom jobs just to do this.)
Now, I’m not arguing TOTP without recovery phone number shouldn’t be an option. I opt into it whenever possible.
>Don’t even get me started on physical security keys
Well, I haven't seen a single person who wouldn't have one. We use them for cars and houses, though.
And credit/debit cards, I bet you have them too. It's a physical security key to the ATM. Classic 2FA spirit: something you have (the card) + something you know (PIN code).
The point is, people don't have problems with physical security keys. Programmers do (and hardware vendors) do, which means no standards and clunky UI.
Physical key keys go into designated keyholes, and give you physical access to something. Physical cards go into dedicated machines, and give you access to a physical transaction, cash, deposit box, etc. Physical objects for physical access.
Physical U2F keys get in the way of all-digital flows. They also need to interact with all kinds of non-dedicated devices, something they do a less than stellar job of. Bluetooth and NFC keys are young, setup process isn’t great and reliability seems to vary; USB keys require a USB port which might be occupied by other things or available only in another physically incompatible shape.
The keys aren't the problem, the engineers are. In this day and age, every device should have a digital keyhole (NFC, whatever) - and it should not take more than "insert or hold X next to Y".
Re: "physical process": something tells me you didn't type this message telepathically. UX is a physical process, and 99.99% of the time, it's doing something with your hands anyway. (Alexa/Siri/OK Google are a different beast).
If every other phone can have a fingerprint scanner, it can have something for actual keys too.
Moreover, imagine this: your devices could have built-in hardware keys that you can register with your bank/etc should you desire that convenience.
Still proper 2FA: your phone number is just an account, which is at the whim of your service provider, but your device is something you have.
Before pushing stuff like TOTP, we need to get everyone on board with using a password manager correctly. I use one and it's a quality of life improvement as well as a security improvement. I only have to remember one password, and I have all of my credentials on my phone and my browser. It's set to automatically lock after some minutes, so I'm secure most of the time. I just checked and I have over 100 passwords in my password manager, and there's no way I would be able to have a unique password for each one and remember them all.
It's a bit of an "eggs in one basket" situation, but given that people tend to use the same password everywhere, I see it as strictly a step up since it's much less likely for your password manager to be compromised (targeted attack in most cases) than for a site to be hacked.
Once everyone is using password managers consistently, then we can start to talk about TOTP and other 2FA tools, and at first only use it to secure the password manager.
Once we solve the password manager problem, most other problems go away. You don't need to reset passwords if you have it in your password database (your computer won't forget it). You don't have to come up with passwords that match some arbitrary set of requirements, you let your computer do that. If you get recovery codes, stick them next to your passwords in your password manager. If there's a breach, your password manager can likely tell you which accounts are affected, and you can just change those instead of every site that you use that password on.
So yeah, 2FA is nice, but improving how people use the first factor is far more important and actually makes peoples' lives easier.
I have pushed my parents to use a password manager multiple times over the years but failed (it’s as simple as adding them to my existing 1Password subscription). My father being a software engineer out of all professions.
I think it's fine because in order for someone to hack me if I have true 2FA authentication with SMS, they would both have to both get my password, and do some kind of social engineering attack to get access to my messages. If you have a secure password already, that is probably good enough security for the vast majority of people.
Just because the second factor can be compromised, doesn't make it useless. Pretty much any security mechanism can be breached, it's all about increasing the difficulty of an attack until it matches the value of what you are trying to protect. SMS 2FA protects you against untargeted attacks like credential stuffing, which is probably sufficient for 95% of people.
> they would both have to both get my password, and do some kind of social engineering attack to get access to my messages.
You must have not followed any SIM-jacking story, which is the point of this entire thread.
1. They don’t need your password because their goal is a password reset through your recovery phone, or recovery email address “secured” by a recovery phone.
2. They do social engineering on telecom employees (or outright buy them out for a pittance) to not only get access to your messages, but take over your entire link to your cellular network. You’re not involved in any of this.
TL;DR: the second factor makes you less secure, not more. It’s a downgrade from a secure password. It makes you defenseless.
As I said in my first comment, a recovery numbers turns it from 2FA into single factor. Obviously that is less secure, since a phone number is generally less secure than a password. I'm talking about true 2FA over SMS.
Recovery numbers should be stored somewhere safe, like your house. If your attackers have access to your house they could beat you up with a baseball bat instead of going through the trouble with finding your recovery codes and phishing your passwords.
Recovery numbers are recovery telephone numbers. If they sim-swap you, they have your telephone number. The end. Virtually all email accounts and online services tie themselves to your damn telephone number, and there are tens of thousands of people in each phone companies who can move your number.
The attacker would have to steal the password and SMSjack someone; that’s a fairly tall order (maybe feasible for targeted attacks, but it should be sufficient to thwart opportunistic attacks.)
The problem is that many sites allow password resets with the SMS, thus rendering it 1F, as GP said.
2FA is more secure than 1FA as it takes more efforts to break. It is enough for many people, but targets that are worth the money and risk of bribing a phone company's employees may need additional security.
I agree when SMS 2FA is strictly in addition to a password, and the phone number isn’t used for account recovery (or marketing), it is theoretically no worse than just a password. The problem is it still with great
2FA, and the kind of sites which do SMS 2FA are exactly the ones incompetent enough to turn it into SMS-based password recovery which is worse than no 2FA.
(The other use of SMS which is somewhat legitimate is as a cost gate to create new accounts. Generally creating a new SMS receiving phone number costs someone more than a new email, so if you want to crudely limit creation of large numbers of accounts by individual users, it can be an option.)
It's not about your password. It's about social engineering. Bad guys call their buddies at some mobile phone co. and get your number switched for a few minutes, then they call your bank and get them to change your password which they do because they trust SMS 2FA which now goes to the bad guys, and then they take your money, and you find out much later. Password quality has zero to do with any of this.
-- You can't provision more than one security key. I want to provision a backup key.
-- You must have TOTP or text-message 2FA enabled in order to use a security key. But the very reason I want to use a security key is because I don't want to trust my phone!
What is it with this bullshit practice of requiring TOTP/SMS setup first before using security keys! I've seen this all over the place, seemingly copied from all the existing ones. Basically they're saying, you must have a less secure 2FA before using a more secure one. Even github does this circus show but at least it lets you register two keys. So what I do is to setup TOTP, add two keys and then remove the TOTP on my phone.
As for limitation of one key, I use my Yubikeys with TOTP as well, so for services that don't support more than one security key, I store the same TOTP private key on both my security keys and get around it.
Hah...before you commented, I searched to see if there were any decent TOTP command line tools, found that, found that it's available via Homebrew ("brew install oath-toolkit"), and installed it.
After that, I tried several examples from the man online man page [1], copying/pasting from Firefox to a terminal. Many of them failed, with errors like "oathtool: hex decoding of secret key failed".
To save others time...get your examples for copy/paste by doing "man oathtool" in another terminal and copying from there. The online manual has the dashes in arguments like "--totp" and "-w" rendered as Unicode minus signs (U+2212). Command line arguments need good old fashioned dash (U+002D).
There's an email address at the bottom of the page for reporting bugs, but my email client didn't like it. Sure enough, there are dashes in the email address which on the web page are Unicode minus signs, so had to grab it from the man page to send off the mail.
Hmmm...so let's say the server, S, knows a TOTP seed, and that seed is shared with Alice and Bob via Shamir's secret sharing method.
To use TOTP then Alice and Bob have to contribute their shares to something, that something has to combine the shares to recover the key, and then generate the TOTP code for the current time, which it sends to S (or sends back to Alice and/or Bob who sends it to the server?), which knows the seed and generates the code for the current time, and checks to see if they match.
The question then is what handles the share combining? You'd need some sort of intermediate party that just receives shares and computes the TOTP code for sending to the server (directly or indirectly). Alice and Bob have to trust that this party will not keep the shares or keep the recovered code because then the entity could generate the TOTP code at will in the future without Alice or Bob's input.
It would probably make more sense to just have the server keep separate TOTP seeds for Alice and Bob, and authorizing requires Alice and Bob to both send their separate TOTP codes to the server.
Where things like secret sharing shine is when you have a secret that that S is not suppose to know persistently. For example, we use it at work for a database with sensitive data. The data is encrypted, with the key in non-paged RAM. When the server starts, a couple shareholders enter their shares, which reconstructs the key. If someone were to steal the server itself they would not get the key.
AFAIK the simpler option has been 16 character passwords entered by 2 people physically at the same console.
IMO TOTP or even U2F have serious over the shoulder and grabby partner kinds of problems compared even to needing to type with semiprivacy.
Technically, in PAM, etc you could always add multiple rules.. But mostly this devolves into RBAC with separate roles so 1 type of admin does each step, but an absent admin is replaceable with another of the same type.
I tried to push a change/publish approach over a more traditional RBAC approach once, but it didn't fly.
I am aware of the principle. But why would the TOTP seed be encrypted by multiple parties versus a system requiring k of n users to respond with a TOTP response or something else?
Hashicorp vault has something like this to generate a root token. You can split your unseal key according to shamirs secret sharing. You can bring together a specified number of unseal key shards and generate a new root token with them. The app had endpoints to manage all this. You could create your own app with your own endpoints with similar functionality.
I don't think there are cryptographic primitives to give you this easily, without some trust logic baked into the app layer.
I wish I could understand why platforms are still only allowing one hardware key, especially a platform like Twitter with a sizable base of advanced users.
Also 1password has built in support for TOTP codes. The killer feature is that must have saved me ~hours is that it automatically copies the TOTP code to my clipboard after login
As @regecks says below, you only need to add it temporarily and then delete the app. I agree they need the ability to have multiple keys.
I personally think the reason they require both to set up a security key is a user recovery issue. TOTP is highly reproducible and a security key is not. You can't back up your private key (by design). You just have to buy several and store them separately. I can encrypt my seed, put it in a QR code, and print as many copies as I want at no cost. If my backup Yubikey fails, I'm toast if I need recovery.
Technically yes, but the main tricks for phishing OTP codes from phones now don't work with those apps, the current ones involve getting people to install an app and getting them to give the app SMS permissions, which there isn't a permission for getting data from ubikey apps unless they go through the phone's storage which is a problem encryption and fingerprint scanners can fix. And calling someone and telling them you accidentally put their number into a site an are trying to recover their account so could you please read me the number you get texted, which doesn't work for UBIKey since you know exactly what that code is for and they can't have been the previous owner of your phone number or accidentally sign you up to that.
There's plenty of others obviously, phishing is an infinite sea of crazy ideas, but that's a few huge ones gone.
No. There are ready to go out of the box proxy tools that rely only on you thinking this proxy is really the site you wanted, and then your TOTP, SMS message, any of these third rate second factors get phished.
The reason Security Keys (ie WebAuthn/U2F) doesn't get phished in this scenario is that the human's worthless opinion about whether this is the correct site isn't used by these technologies. Your WebAuthn credentials submitted to the utterly convincing phishing site fake-bank.example don't work for your real-bank.example login and the phishing fails.
That's an interesting threat model that I don't hear very often. Can you expand on what threats you're trying to protect against? If you ever sign in to Twitter on your phone, you're trusting your phone with your Twitter account at least to some degree.
The main thing security keys protect against that TOTP doesn't is phishing.
You don't necessarily login to Twitter on the phone (I don't for instance). Even if you did, your login credentials are considered more sensitive data than the session cookie you get after you're signed in. As with the Twitter app, the window of time in which your login creds are in memory is short. With a TOTP app holding your private key around, you basically have half the credential available at all times (unless of course the TOTP app makes use of the mobile platform's hardware chip to encrypt the private key when app is not in use).
Yes, but assuming your phone is compromised, it can intercept the password and security key as you sign in, and take over your Twitter account. In fact if you use your security key to sign in to anything on your phone, the phone malware can use it to access any account linked to the security key (assuming the malware has your password). So even if you don't sign in to Twitter on your phone you're still vulnerable.
And even if you are already signed in to everything and think you won't ever need to sign in on your phone again, the malware can force a logout of something, and you won't be able to know if it was just some software update or expiration that signed you out. So you'll sign in again, and the malware will intercept your security key.
I have never used my Yubikey with my phone for any application, I don't even know if it works, and I see no reason why I would start. I almost never use Twitter on my phone and if I switched Twitter to my Yubikey, I would never use it on my phone.
TOTP isn't vulnerable to porting numbers, so you're safe from that threat.
Is remote desktop compromise less likely than remote phone compromise? Phones tend to sandbox each app, so a single malicious or compromised app cannot take over your phone. Desktops on the other hand allow any app to do essentially anything on your computer. Accidentally open a malicious email attachment and you're done for. Generally I consider machine/phone compromise outside of my threat model.
Is security key theft less likely than phone theft? Also, phones generally require a password or fingerprint or face to unlock, while security keys generally do not (Yubico announced a fingerprint-protected one 18 days ago, but it's not available yet).
Twitter,google and the rest refuse to let you register without a phone number and they are agressive about not letting burner services.
So I spend money buying burner sims. I can. But normal people can't. They use phone numbers more than IP addresses to uniquely identify people. Never use apps if you can use a website!
And screw these companies that are sneakily hostile against their own user base.
I use a lot of burner phones cuz I'm paranoid, and when you sign up for fb/google/whatever they treat a burner phone you just turned on completely different from your regular, existing phone number.
Example: if you activate a burner phone and sign up for tinder with the number, it pauses after you enter the code and then asks for your email address. You have to sepetately login and verify your email. On the other hand, if you sign up for tinder with your normal number you're verified; it doesn't request an email address.
They get some kind of information packet about your account that I would guess includes activation date, your approximate age, whether your service is prepaid etc.
I should say, I use the term "burner" for a cheap Android phone you insert a bring your own SIM into. Don't worry, it's not that anonymous because they also track/correlate your device IMEI with the services you use.
I had an interesting experience the other day. The burner phone service expired, and tinder knew within 24 hours the number was no longer active......
Creepy.
2010-2019 has been the smart phone decade and now it's coming to an end. I'm celebrating by letting my cell service expire. My smart phones leak way too much data. I'll be using my too-smart phones like an ipad, making and receiving calls and texts only when I'm connected to WiFi at home.
I have the same experience with tinder. They build shadow profiles on you, and they're not even discreet about it if you look at their traffic. I get whole phones with sim cheap.
It's the implementation of a "social credit" system. I don't know all the details but they evaluate your "social media creditworthiness" through your phone number.
I don't agree to any TOS with tinder and I really doubt they "delete all my information" when I delete the account like it says.
In fact my guess is they just leave your profile active if it's popular to encourage other people to "match" with you.
> In fact my guess is they just leave your profile active if it's popular to encourage other people to "match" with you.
I wouldn’t go to the extent of saying they don’t do it, but I think it’s very unlikely due to the nature of their service. It’s different of, say, Facebook, that can do it without anyone knowing. If I got into a relationship and close my Tinder account but they kept it alive, a single friend can find it and tell my partner. If this happens too often word will spread that something shady is going on.
If you can actually submit a support ticket, get them to agree that a phone number is not required (like it says on their website), and to reply when that's done, you'll get your account unlocked after a few days. (usually)
Why can’t we have more than one u2f key??? The most important guarantee that u2f gives you is a significant reduction in phishing risk. I can still be phished with a totp code by a social engineering attack and something like Modlishka...
I was also really hoping they would slip this into the update too, but looks like not yet unfortunately :(
The whole login security ecosystem across the web is in a state of high entropy flux. Some websites still don't offer 2FA, some only do text, some demand text, some don't even offer text, some offer authenticator apps, some force specific authenticator apps, some offer hardware tokens, some allow only a single hardware token, ... The U2F hardware tokens themselves are only compatible with some of your devices due to the variety in ports, etc.
And a typical person will have to have an account with ~100 different places that they want to use with continuity across multiple devices.
Yeah, recently demo'ed Modlishka to my org, really scary stuff...
Re U2F keys: I think I would prefer a security model where I provision a U2F key based on some master secret stored in a "secure" but accessible way, i.e paper. Then I could create a new key with the same secret when I loose or break the first one.
Having two U2F fobs seems almost like having two different locks on all your doors, setup so that only one is needed to open the door.
It's possible to do what you describe with existing open-source/open-hardware U2F security keys, as they let you define the master secret from which the per-site private elliptic keys are generated. I haven't personally tried it, though.
But for security you should still have at least two U2F security keys using different master secrets (if you lose one security key, you can deactivate it without deactivating the other).
I simply refuse to do 2FA with phone number. I change phone providers and phone number more often than email provider. I generally don't trust my phone provider to act responsibly and fully expect to get ripped off by them and their customer support to do all the wrong things.
I implemented 2FA server and frontend support at some point and it's stupidly easy to do. It's arguably a lot easier to do than building SMS based 2FA because you don't need the integration with SMS. All you do is show a QR code, store the shared secret, and then run a simple algorithm to verify the current code and timestamp line up with what the user typed when they login. The algorithm for generating codes compatible with Google Authenticator, Authy, etc. is available in OSS form for several languages. Same for QR code generation. The rest is bog standard UX work and a bit of DB plumbing.
Same here. I didn't want to give them my number and they blocked my account because of 'suspicious behaviour'.
Now I wrote to their support after reading this and I am very interested in their response.
I think if they go on trying to force me I will just delete the account. This is the only thing that helps those companies to understand their users needs when they have problems listening or seeing them on their own, I'm afraid.
If you log into your account and turn off SMS-based 2FA it also turns off TOTP-based 2FA!! Fortunately I wanted to switch to a different authenticator anyway (twitter buried their TOTP tokens deep within the android app).
I remember looking over the application form for the first Oculus Connect (after Oculus was purchased by FB). What struck me as odd was that the form didn't just ask for your phone number. It asked for your mobile telephone number. It was an unusual distinction that I hadn't seen before.
Now, it could be nothing, but I came to a personal realization just how valuable a telephone number could be for such a well-positioned company to do a deep-dive into a person's background just by using their mobile number as the key to tie additional records to the user's identity. Or their activities before, during, and after a company's conference.
To answer your question, I believe that Facebook wants the (mobile) telephone number of their users to facilitate any number of additional uses, and "account security" is one actual use that lets it slide under the radar of most people. Clever! (Or depending on your POV on privacy and personal security, unfortunate!)
I tried to make that distinction clear. I'll see if I can do a better job.
Most companies ask a customer for a telephone number in their forms and in their applications. Actually, just about any context where the customer's mobile device is not the item of attention. This was my first encounter with a company that specifically requested a mobile telephone number in their application. This unusually specific request illuminated some interesting possibilities in my mind.
If you experience circa 2014 has been different, actually, that's great! I'd like to see and compare some similar event applications around that same time period. (Still, it was the possibilities for the uses of a mobile number that really flagged my interest as well as the relevance to this conversation, not the rarity today of companies specifically requesting a mobile number.)
Did they use those exact words? Sounds strange to me as most American English speakers would say “phone number” or “cell phone number”, and both are used pretty much synonymously (because in practice they basically are) for a long time. More formal forms (government forms) might ask for something like “daytime phone number”. In particular I haven’t seen the word “telephone” in ages.
I'd have to unearth the screenshot I took some years back, but that strays from the point, doesn't it?
They weren't asking for home number, work number, and mobile number. Or as you mentioned: daytime number, evening number. It was more along the lines of: Name, Address, Mobile Number, Company Name, Job Title, etc. They specifically wanted a mobile number and no other type of number.
Were they wanting a mobile number so they could more easily research an applicant using their internal tools? Only they would know. But it drew my attention to the possibilities and the importance of obtaining a mobile number.
Back to OP's question, part of the reason a mobile number is required to create a Facebook account may be to help tie different types of records together. Of course, as mentioned, there are other reasons, such as security. Users will understand and provide a mobile number for that reason alone.
Well, I think the argument (whether you buy it or not) would be that platforms like Twitter and Facebook are trying to curtail abuse and bots, and "owning a phone number" is a decent way to tell if someone's human. To my knowledge, neither has ever texted or used the phone numbers for anything other than verification.
Both can be true. I tried to open an anonymous Facebook account. Could never succeed. My twilio number was refused. I couldn’t give my normal phone because it’s already associated with my other Facebook account. They do want to limit the number of accounts per person even if that meant more accounts to advertise.
Except with number porting and the ability to be allocated hundreds of thousands of phone numbers by filling in a bit of paperwork, the whole thing seems moot.
I ported my primary phone number into Twilio years ago. Most apps/websites have no problem with a `voip` number type. But some systems, including Twitter, have refused to accept it.
Quite a few people asking about my experience porting my number to Twilio.
A few years ago I was frustrated about paying CA$100/month for my phone plan in Canada for unlimited talk/text and a few gigs of data a month. I realized I only needed the data.
I wrote an app that directs phone calls straight to voicemail and then emails the missed calls and voicemail transcription and mp3s. SMS messages are sent to email and email replies get sent back as SMS. I made this a product at https://ringer.io.
I also picked up two CA$15/month data only SIMs (3GB each) from Fido.
So now I could only receive voicemail and I would use Google Hangouts Dialer to make traditional phone calls, which was very rare. I have to admit it was awesome not having the ability to receive a phone call.
I used WhatsApp day-to-day for texting and video calls.
Eventually the need to receive calls kicked up a notch so I switched my number over to https://openphone.co for US$10/month. They are on Twilio as well so it was a painless port (ie: one API call).
The OpenPhone app is "good enough" for me. If I had to talk a lot using traditional phone calls I would pay for a dedicated talk/text plan.
But I'm happy paying CA$30/month for 6GB of data and US$10/month for the phone/text line.
Can you tell us more about your experience using Twilio as your personal phone number? I was looking at alternatives to Google Voice and Twilio seemed like an interesting possibility but I have been looking for someone that has tried it to let me know if it's worth it.
Not OP but I think I've participated in a group SMS maybe twice in 10 years and initiated none. I don't feel like I'd be missing out by not having group messaging support.
The problem is, you have no idea if you're missing out because you aren't getting them.
I use Google Voice and my family uses group text to coordinate things like dinner. I only knew about dinner because my wife gets the group texts.
GVoice eventually fixed the group text problem, but I don't get all the messages and I get them out of order. I also get other group texts with important info that I wasn't getting before.
I have no idea how many other group texts I'm missing out on that I might actually want to be a part of or was missing out on. Everyone assumes that group text works with all recipients all the time, and since it has no way of telling the sender it failed to deliver, no one ever follows up.
Depends on geography. In Canada it’s WhatsApp and Messenger groups. Never had a group text. Not saying it’s the same across the country but don’t assume that other are missing on group text, I could get group text and I don’t.
Does group SMS even exist? I know that you can send the same message to multiple recipients, but does it support "revealing" the recipients to each other? Or am I just out of date? I haven't sent a proper SMS in probably 5+ years.
It's extremely common in the USA since most people in the usa have phone plans that include unlimited MMS and SMS, third-party chat apps like WhatsApp never became ubiquitous here as a result of that basic functionality being available through the phone.
But if you reply to a tweet too soon to be misidentified as Bot & get blocked; then you have no choice but to link your mobile number to get unblocked.
You don't even have to tweet before you get blocked. I created an account, after a few minutes of looking around, I was blockeed. (Still blocked, because not worth it.)
Were you on VPN/Tor, not that I'm implying it's a legible case to block; but I've read VPN/Tor usage on Twitter will lead you to mobile linking inevitably due to said issue.
I had the same experience. Not on VPN/Tor/anything. Before I even posted a single tweet I got blocked by a generic "our algorithms think you violated community guidelines" or something.
I don't understand. I already have authenticator app ticked, and this doesn't appear to be the new default - I have it in the authenticator app already too. If I untick SMS, it says this will disable 2FA. What gives?
EDIT
Looks like a bug. Deleting the phone number gives no such warning, and 2FA continues to work.
A 2FA system that requires me to give a phone number is a 2FA system that I won't use. I'm not about to give my phone number out to most companies, and I'm too lazy to go get a burner phone just to set up 2FA.
I still can’t log into Twitter because they refuse to send the verification to my phone number. It’s been three weeks of multiple emails to their support.
All this and I only need the damn thing for my data analysis course.
We need to stop calling this 2FA. If you can reset your password via text or email, it’s not. I rather have no way of reseting the password. And if it is lost, it is lost.
You could argue that it’s up to you to have a proper key backup strategy (ie not Google Authenticator). You don’t have several user names and passwords for one account, either.
The specification for WebAuthn (Security Keys) explicitly tells implementers they SHOULD support multiple tokens because otherwise the recovery scenario is terrible.
You can't realistically "back up" cheap Security Keys, their whole design is predicated on your being unable to extract the secret inside them which makes them work.
[1] https://www.nytimes.com/2019/09/05/technology/sim-swap-jack-...