The problem with using a VOIP number is that most app and websites won't let you use anything but a regular carrier number for verification -- they specifically restrict VOIP numbers from use. I presume this is to prevent spammers or just regular users from creating multiple accounts, but I think they're mistaken as it's trivial to buy a temporary "real" carrier number on the internet if you're fine using a somewhat-shady site.
I've been the person at the app banning voip numbers. The problem is there are some services that make it very easy to obtain a voip number at no cost to the user; if they don't have effective protections against bulk registration, spammers abuse them to get thousands of numbers and then use those numbers to abuse the service I was at.
Forcing spammers to have a non-voip number raises their costs, sometimes significantly, reducing their ROI and their interest in spamming our users.
We tried to make exceptions where we could, but it does suck for real people using voip numbers for whatever reasons.
Unless you're doing a dip of the number against proprietary telecom data sets, you have no idea if the number is a "VOIP" number, due to North American number porting laws, you can take any number that was a "Verizon landline" or whatever and move it to a VOIP provider that can overlay SMS capabilities on it.
Even if you dip and see that it belongs to a VOIP provider, it's a completely legit use case for some to own their phone number through Bandwidth, Twilio, Telnyx, Messagebird, whatever.
There are DBs that can get you that info. Some even tell you when the number was ported which is useful to catch mobile number takeovers. Things have moved beyond NPA/NXX lookups.
Of course, that’s what I was referring to. The consumer still has to subscribe to those data sets, keep them updated, and understand which lesser-known company names are “legit” telecom providers (as many large providers are non-household names and have VOIP offerings) vs whatever kind of VOIP provider he feels he needs to protect against.
My point being that if he’s doing it right, he’s probably spending more time and money than it’s worth, and if he’s not, he’s banning legit users for the crime of not having a big-4 provider.
How can an arbitrary number be used to abuse your service? At least for SMS "2FA" you only need to be able to send a message to an number associated with an existing account.
As long as you aren't using SMS as your rate limiting step to aquire an account then then it doesn't matter if someone has 1 phone number or 1000 numbers. In the case that SMS verification is the rate limiting step, why not switch to an open captcha or similir system?
They're also mistaken in their filtering oftentimes.
I have a smaller lesser known telephone operator friendly to a more advanced users, and my SIM-bound mobile phone number is rejected by big services like Google.
Not that I care anymore, I'll certainly not go to great lengths to use services which start their onboarding by blocking my number and forcing me to use big telco's services or some shady website.
