Do what I do and turn off "allow multi-device." Problem solved -- even if your phone number is stolen, they can't recover your 2FA because it's locked to the device too.
I just did some quick research on these IDs. Correct me if I'm wrong, but it seems like each user account would be tied to one device. It also seems like the user, at least on Apple devices, has to opt into advertising tracking in order for your app to even get access to this.
Ignoring the security pitfalls of phone numbers, it really doesn't seem like these advertising IDs are a drop in replacement for using phone numbers.
> for the 100,000th time, just stop using phone numbers for 2FA.
I agree, and I say this to whoever asks me too, and I avoid any services that still use phone numbers as a way to associate it to you (Signal, I’m looking at ya!)
However, easier said than done, some services still require you to use a phone number, like banks, some government agencies, insurance companies, etc., the services that actually matter if your data get leaked. I believe there should be a regulation to prevent using the phone in any way to confirm your ID, and never force you to provide one to access such services.
You can enable multi device, and have it on multiple devices, then disable it (and keep it on multiple devices - it's just that then adding yet another device needs toggling multi-device on from an existing device, a confirmation SMS is not enough).
There are no more excuses other than asking for your phone to be sim-swapped and your bank accounts or your wallets to be drained by call centers.
If this breach doesn't scare you from using phone number for 2FA, then maybe nothing ever will and AI and deep fakes will make this even worse.