Stop Treating Phone Numbers As A Digital ID
Are internet security and internet privacy incompatible goals?
Have you ever tried to make an Instagram account only for it to ask for your phone number? What about Google? iCloud? Your bank’s app? Your university’s website? Over the past decade, we’ve gone from “you need to enter your phone number in order to make an account” being unheard of to something we now take for granted in our digital lives.
As a young person, I only started using the internet around the late 00s. It was a time many people would pinpoint as the absolute tail-end of that awkward transition period between the “old” and “new” internet. By this point — with it easier than ever before for even the most tech illiterate among us — it was getting harder to separate the “online” and “offline” worlds. It was more profitable than ever to do your business online, but also more profitable than ever to take advantage of others online.
The internet becoming a mainstream hub of commerce, media, and culture was not going to occur until measures were taken to improve security. The old way of doing things was simple: your account would have a username and a password. Problem is that this often times wasn’t enough of a barrier for hackers: database breaches, computer viruses, and plain old guessing were all very effective ways to steal passwords.
Nowadays, chances are, if you want to use anything online, you’ll need to provide a phone number. And each time you get past that password screen, you might have to check your texts, scan a QR code, or open an app. This two-step process to logging in has a name: “2-Factor Authentication”.
The current state of 2FA is… a lot of things. It’s simple but tedious. It’s been an improvement in terms of security, but a disaster in terms of privacy. In this piece I want to talk about a certain concerning trend — how much of our online security revolves around specifically phone numbers, and how our society is determined to turn it into the equivalent of a digital ID card.
Now of course, there are some benefits to using a phone number.
In the modern day, almost everyone has a phone, so it’s convenient to just check your texts. You don’t even need to install an app.
You can’t just “make a new phone number” easily, so it’s often a good indicator the person in question is a human being.
But before anything else we do have to talk about the elephant in the room. The big drawback is that this approach requires you entirely surrender your privacy. If you know a person’s phone number, it’s not hard to track down all of their personal information from there. The power for anyone out there to readily track you down, is of course, not something you benefit from. But for politicians looking to censor, advertisers looking to shove products down your throat, and criminals looking to steal your identity, they’re willing to pay top dollar for that information. And the companies you gave your phone number to are more than willing to sell.
The extent to which this is in and of itself a motive for sites to maintain such a system versus just being a “bonus” they take advantage of is definitely up for debate, but it’s also worth looking at the other justifications.
A site will usually give you two reasons as to why they need to know your phone number:
Authentication: Checking to see you’re not a hacker.
Verification: Making sure you’re a human being and not a robot.
So, how well does this approach work towards those ends?
In terms of authentication — while recieving codes via text is better than nothing — it’s still far from safe. Regular texts (via SMS) were never designed for security, and are highly susceptible to SIM swapping attacks.
The consensus among security experts seems to be that a standalone authenticator app (using TOTP) is significantly better for authentication1. Under such a system, you’d simply load up the app, add the account in question, and check to see which codes are active whenever you need to log in. One of the big advantages of such an approach is that nothing is really ever “sent” from the website to the app. Instead, codes are generated by both the app and the site using a common algorithm with the current time as a seed2: this ensures keys are only valid for a limited time and that there’s nothing for hackers to “intercept”.
TOTP also has massive privacy benefits, allowing you to still have the benefits of 2FA (and the convenience of having it on your phone) without having to give your phone number. Even better, in a lot of cases3 you have the ability to freely choose which TOTP app you use for 2FA4, which means you’re not necessarily forced to make an account on one specific authenticator (such as Microsoft Authenticator or Google Authenticator).
Of course, even if you’re not one to care for either privacy or security — SMS-based 2FA can cause all sorts of other headaches. Part of what inspired me to do this week’s piece on this topic was listening to a friend of mine recount the time he changed his phone number and suddenly found himself locked out of his own online banking login, with minimal recourse to regain access apart from jumping through various hoops. The byproduct of tying everything to your phone number is that everything goes down alongside it. And to be fair, it’s not just him:
As for handling verification, the story there unfortunately seems to be a lot more complicated. Verification is a serious problem and it’s bound to only get even worse with time. Malicious bots have grown to make up almost half of all internet traffic. AI companies are flooding websites with unwanted traffic in order to train their models. Social media platforms are being filled with conversations by fake accounts. That being said, automated anti-bot systems are incredibly aggressive and have often flagged me (and in turn either forced me to add a phone number or banned me) over entirely innocuous behavior5.
I remember back when I was running a smaller social media platform (which might be a story I’ll save for a later post), the classic verification methods of the 2010s (e-mail verification and CAPTCHAs) did nothing to stop multiple bot accounts from registering and trying to spam the site every single day.
The problem with email verification is that it’s super trivial to make email accounts en-masse. Phone numbers on the other hand often times require you to go to the store, register your real-life identity, and purchase the SIM card. This of course will fully identify you, but it also adds significant hurdles to just acquiring a bunch of them6.
CAPTCHAs put up a better fight, although even they are having trouble in the arms race against modern AI. A CAPTCHA is essentially an activity designed to be completable by humans but not by robots: this could be typing out distorted text, selecting fire hydrants, or — as of late — completing something that’s starting to increasingly resemble a WarioWare microgame:
Of course, the growing absurdity of these activities should give you an idea of how much harder it’s getting to consistently differentiate between AI and human behavior on the internet.
There’s also various other problems which has continued to plague the most popular CAPTCHA systems7. reCAPTCHA, being owned by Google, a company which also has a vested interest in undermining your privacy8. Some people made hCAPTCHA as a privacy-friendly alternative, but its effectiveness has been seriously called into question.9 So far the best solution (both in terms of effectiveness and privacy) seems to be Cloudflare’s Turnstile, which relies on a series of automated challenges10, although even it’s not perfect11. Other services have taken to ditching the manual CAPTCHAs in favor of web-fingerprinting (trying to uniquely identify your browser based on GPU data), although of course this approach has its own privacy issues12.
It might be worth considering an approach like that of ProtonMail13 (a privacy-friendly email service): they accept SMS as a verification option, but they immediately encrypt the data and delete it once verified. Perhaps we could do something similar with web fingerprints. Of course, this norm requires us to put a lot of trust in the good intentions of service providers.
On this question of verification, I don’t have a particularly foolproof solution, but maybe there just isn’t one. There’s a deeper problem all of this raises, a pattern that keeps popping up: the most effective forms of verification involve identifying yourself as a human being — the same way a bouncer verifies your age by checking and scanning your full ID. Which it shouldn’t come as a surprise then that politicians are considering phone-based age verification at the same time they’re also salivating over the idea of an internet ID card.
The big problem, which I alluded to at the beginning of this essay, is that the real world and the online world have started to become one and the same. The real world needs rules to function because it’s dealing with real identities, real money, and real consequences. The internet of old was niche, but it was also that nicheness that allowed it to be a bubble — the stakes of security and privacy violations were so much lower then than now.
The internet of old was broken into smaller communities, often either in chatrooms or forums, where manual moderation and vetting was still possible. Social media platforms of today constitute a massive public square which is impossible to sift by hand. Perhaps we might need to work towards giving the real world its place back, and breaking the internet down into smaller communities that are easier to manage.
One example of this in practice on a large scale is Steam’s mobile authenticator system, which while proprietary, is TOTP-based. Read more here: https://store.steampowered.com/oldnews/19618
To see which sites support non-proprietary TOTP, check out the 2FA Websites Directory.
I personally use and would recommend Aegis Authenticator if you’re also an Android user.
Both Facebook and Snapchat banned me before I could even make an account because their automated systems flagged me as a bot. Discord temporarily banned me and then required a phone number following me adding a person I met on Reddit, which (once again) was mistaken for bot behavior.
Yes, VoIP numbers exist, but most services have started blocking their usage when signing up for accounts.
Also, in my research I found a lot of concerns regarding how well these activities account for cultural differences, but those honestly might be relatively fixable.
Cloudflare works not by web-fingerprinting, but by “IP reputation (historical malicious activity), firewall rules based on HTTP requests, and rate limiting”. Read more here: https://pmc.ncbi.nlm.nih.gov/articles/PMC7338186/#Sec11