• Late Night Thoughts

Why phone numbers should not be used for authentication

October 07, 2021 • 1 min read

Sometimes it's good, sometimes its' not

If you haven't noticed, it seems every application nowadays is asking users for their phone numbers, regardless if it is actually necessary or not. For most of these cases, when your number is not being used to spam you with texts, promotions, etc, it is used to verify you are a person, verify access to an account, or verify your device. However, the question I want to dig into, is if dual factor authentication with phone numbers is actually as useful as it may seem. The answer comes down to whether the user has access to their phone number or not.

When you have access to your phone number

When you have access to your phone number, the process of authenticating with your phone will work fine given you have received the code from the website you want to authenticate into. It just becomes a matter of taking the code you received and entering it in the input box.

But what does it mean to have access to your phone number?

It means you need to:

Access to Cellular Connection

This does not only apply to authenticating with phone numbers but can also apply to cases where you authenticate with email, and a connection is required to receive the code.

To have cellular connection also means you need to have money to pay for that connection. However, if email was used, you would only need access to the internet which is easier to access for free.

Lastly, this means you need to have access to a device capable of having a Cellular Connection. This is not a requirement if email is used and you just use wifi.

  1. Have access to a device with cellular connection
  2. Need to have money to pay for such cellular connection
  3. Be in a location where your mobile carrier works. If this is not the case, you will have to get a new