It's Time to Sunset Phone Numbers as IDs and for Two-Factor Authentication

When it comes to securing our accounts from all kinds of breaches, we're often urged not to repeat our passwords and have strong ones that're hard to guess.

Easier said than done, am I right?

One quick way to go about beefing up our accounts is to set up two-factor authentication (2FA), which basically adds an additional layer of security designed to ensure that you're the only person who can access your account, even if someone knows your password.

2FA is simply the most effective means — the holy grail — to safeguard your accounts from phishing and credential-stuffing attacks, where passwords stolen from previous data breaches are used on another site.

This can be done in a lot of ways — SMS, using an authenticator app, biometrics, or even a hardware security key that you plug into your device to sign-in to, say, a service like Google.

The idea is to use your phone (something you have) and biometrics (something you are) to augment your passwords (something you know) as a means for identification.

All of this is good and all. But SMS has been proven to be the weakest link in two-step logins: cyberbaddies can hijack the very SMS messages meant to keep you safe.

An unintentional side-effect of providing your phone numbers for authentication became apparent recently after Twitter disclosed it "accidentally" used some email addresses and phone numbers provided for account security purposes for targeting ads.

It's not just egregious that Twitter is using information explicitly meant for one thing for something else entirely, the transgression is a clear-cut case of a privacy violation — in the process undermining trust in a security feature meant to underscore trust.

It's unbelievable how many companies screw this up.

The lapse, if anything, proves that it's time to sunset phone numbers — which are increasingly used as IDs and usernames — for 2FA.

While it's not surprising that big corporations continue to put privacy before profit, Twitter took it to the next level by making phone numbers mandatory even if you were to use an authenticator app for 2FA.

So, deleting a phone number from your Twitter settings all but immediately withdraws your account from Twitter 2FA. Other major sites, including Google, Facebook, and GitHub, don't make this a prerequisite.

Cybersecurity expert Matthew Green tweeted, "whose idea was it to use a valuable advertising identifier as an input to a security system. This is like using raw meat to secure your tent against bears." Oof!

In recent years, SMS messages have become increasingly susceptible to SIM swapping attacks — a clever social engineering trick used by cybercriminals to persuade phone carriers into transferring their victims' cell services to a SIM card under their control.

This basically allows an attacker to hijack all your calls and text messages, including those meant for 2FA.

Although adding a layer of SMS-based verification to your logins is better than relying on a password alone, it's no longer the best way to do it. At this stage, using phone numbers as the only source of two-factor identification is akin to inviting identity theft.

SMS is fast turning from 'something you have' into 'something the service sent you,' making such one-time codes susceptible to attacks. This means, SMS should be avoided at all costs, and should be the last thing on your mind when it comes to anything login-related.

The incident is a reminder that it's time for services that only offer SMS-based second factor protections to give users better options.

As for Twitter, the sooner it decouples the phone number requirement from 2FA, the better.