Hacker News new | past | comments | ask | show | jobs | submit login

Lose access to your number by any category of errors on your part or your carrier's part, and see what happens.

They're not tied to your person with much more permanency than a DHCP IP address. There's no process to verify your identity or recover your number or help you regain your accounts. The actual process for migrating your number is "Sign up with this other brand you've never tried before and tell them to politely ask your former brand to release the number to them".

If I lose my phone to a trash compactor, the process to change anything in my phone carrier account with regard to SIM cards is going to forward things to my Gmail account, which at random times for random reasons is going to begin to demand 2 factor identification for logging in on a new device via texting my phone number.

There are all sorts of crazy scenarios that can arise with double binds like this.

If we had a resilient authoritative identity verification (say, the DMV, or US Passport Office), or if we had a diverse variety of low-trust identity factors that we could check multiple aspects of ("text my mother" / "Here's a bill showing my address" / "here's a video of my phase saying my phone number"), there would be a way out, but all of corporate America heard "2fa is required for security now" and said "So we just text them right?"

That makes your phone not "another thing that people can use to talk to you in circumstances when you're not accessible", which the FCC's portability plan was maybe sufficient for, but a fragile single point of failure for your entire identity.




Google allows you to set up multiple types of second factors for 2FA purposes. There's no reason you should be relying solely on SMS for gmail's 2FA.


What about any other service that only allows sms 2fa?




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: