Why do leading sites require a phone number for 2-Factor Authentication (2FA)?
There’s plenty of people telling me I need to turn on 2FA for important sites, but I’ve given up.
All I want:
What I don’t want:
- To be woken at 2am by sales calls.
- To receive annoying text messages.
Seriously. I don’t like phone calls at the best of times, and calls from companies are right at the bottom of my list. Sales calls are at the bottom of that list, the bottom of the bottom of the list.
And one thing I learned from spam - the simplest step to avoid getting spam from a company is not to give that company your email address. It seems perfectly sensible to me that to avoid getting phone calls from a company, don’t give them your phone number.
But you can’t turn on 2FA on sites like Google Mail or Twitter without giving them your phone number.
I find this annoying.
It’s not a technical requirement. Yes, they have a way to do a 2FA by texting your phone number, but that’s not the only way to do 2FA. Google have put a lot of effort into 2FA, have created their own ‘Authenticator’ app, and even support open-source apps using these standard 2FA protocols. But you can’t use any of these standard protocols without first giving up your phone number.
These standard protocols (RFCs 4226 and 6238) don’t require your phone number - they use some fancy encryption to verify things. So there’s no reason a secure 2FA implementation needs to ask for a phone number. It can work perfectly well without it. The NIST has even deprecated the use of SMS in 2FA!
I’ve been told ‘But Google say they’ll only ever use the number for 2FA’ as if, somehow, that was immutable. Google can (and probably do) change their Terms and Conditions without me noticing. Changing the use of the phone number from 2FA-only to 2am-sales-call-o-rama doesn't seem beyond the bounds of possibility for a company that used to have the mantra ‘Don’t Be Evil’ but then... changed.
And Google is one of the better companies out there! If I don't want to give Google my number for 2FA I certainly don’t want to give it to any of the worse companies.
So I’m wondering about ways around this. There are mailinator-like services for SMS messages, but I don’t think that would increase my security... I could get a free SIM and use it to set up 2FA, but that would turn in to an ongoing cost because 2FA is an ongoing problem and I’ll likely need to enable 2FA in future on sites that don't even exist yet. I’m reluctant to have an extra mobile phone and SIM and overhead and cost just because companies want my phone number.
Why do they all want my phone number so much anyway?
Bah to the lot of ‘em.