My experience is that after you give your phone number to most companies it effectively becomes a single factor: it's trivial to get them to change passwords with that alone. AFAICT, the only protection is to not give them your phone number in the first place.
> "the only protection is to not give them your phone number in the first place."
That has its own risks. If you don't provide it to google and your account gets hacked, it's extremely hard to get it back. (My wife lost her original gmail account that way about 2 years ago. And of course there was no way to get any live support to try & fix it)
Basically if you don't provide your number, you're more open to the more prevalent traditional hacking. If you do provide a number, you're more open to a slightly less prevalent type of hacking. It doesn't leave much to choose from.
I've read of many cases of folks losing access to their personal Google account through no fault of their own, and winding up helpless to get it back. Almost happened to me after I was victim of a SIM Swap.
From the article, even the Twitter CEO has this problem:
While he has managed to get back his social media accounts, he has not regained access to two Google email accounts that held years of communications.
If anyone with directional authority at Google is out there: It would be really decent of you to provide some means of customer service for consumers stuck in this catch-22.
I can't accept there's no reasonable way to perform an identity confirmation beyond the laughably limited self-help measures currently in place. If it's a matter of economics, make it pay-per-use.
With Google anyway you're down to 2FA using an authentication app (possibly U2F but I haven't checked on that recently) and backup codes which should also protect you from traditional hacking.
Maybe it's time to reconsider phone numbers. Think about it. There's already a divide between phones on one side, and tablets/laptops/pcs etc on the other. You can only use whatsapp on a phone (or a laptop connected to a phone). You need a special phone contract to make phone calls. You can make voice calls via voip/whatsapp/whatever but you have to understand what network the person is on. Then there's this security nonsense, with porting numbers and permission etc. If there was a voip standard where you just placed a voice call with someone else from any device, for free, with a known way of dealing with missed calls, where spam wasn't an issue (whitelist only, or at the very least some authenticated way of knowing who was calling you so you could block someone's actual number not the one they spoofed/could refuse to entertain number-withheld etc), you'd do away with loads of this nonsense in one go. And it's not like it would require any new infrastructure at all; it would be purely a protocol/software thing.
That "just" is doing a lot of legwork, though. How do you identify and find that someone else, so you can call them? Generally, you need some sort of unique identity. And how do you make sure that unique virtual identity connects to the correct physical person? Once you solve that, you can probably apply the solution to phone numbers.
I briefly used a free UK voip service which allocated you a real, geographic phone number anywhere you wanted in the uk. 01234 567890 for examine. Anyone - you for example - could phone that number, and my phone would be configured to use that company's service via username/password such that I'd receive your call. You'd think it was a regular phone call, and being geographic it would be free, or taken from your minutes or just normal if you were phoning me from another country, and I could receive that call anywhere I had data (and not necessarily phone - so i'd not need a foreign sim card if I were travelling which is the case currently) coverage. I'd have to pay the company if I wanted to place calls to regular phone numbers.
So I'm really suggesting something like that. Assuming it was a standard and the company didn't want paying because they weren't doing the whole geographic number to voip identity thing - they were just allowing the creation of an account. We'd be moving away from traditional phone numbers - the number/id could be a guid or long hash or whatever; nobody's going to try and remember it - it would be stored in your contacts like "dave smith" or "mum" or whatever.
Dare I say it, you could have a blockchain for this. Just to store the identifier. Not associated with any other string, such as a name or email address; just a way to ensure that the identifier isn't taken (so there may be a rush for cool ones but like I said, no-one would actually need to remember them) - that you're the first person to claim it.
Fine, there's a free global database that stored some random unique ID for you. Now say you're in Lisbon connected to some public wifi network, and I'm in Oslo connected to my office wifi network.
If I press the button to call your unique ID, how does my softphone get yours to ring?
