New ask Hacker News story: Ask HN: Can we (or at least Valve) stop using SMS for identity?
Ask HN: Can we (or at least Valve) stop using SMS for identity?
5 by jpalawaga | 5 comments on Hacker News.
Can we as an industry stop treating phone numbers as immutable pieces of information? They're not, and there is no easy way to know all of the services that use a particular phone number if you change your number. I had someone recover my Steam account using an old phone number. Receiving an SMS allowed them to change the email on the account, which prevents me from recovering my account. I'm baffled that there seems to be a few lapses in their recovery flow: - Steam will give your account away with via text message, even if the person has no prior knowledge of the account (username, display name, email, purchases/billing info, anything). - Email is supposed to be used as the primary recovery mechanism ("protected by steam guard email") - when you purchase games, you're asked for a ph# which is never checked against your registered number (an alert would have brought the mismatch to my attention) - The phone number was verified 3361 days ago. Never a 'hey, is this info still up to date?' message or anything. This essentially turned Steam's 2FA into 1FA. Or maybe even less, since they didn't even need a username to fully recover the account. Heck, they didn't know what account they were recovering! This seems like a particularly egregious implementation of recovery, but really it seems to hinge on the idea that a phone number is some unalienable part of someone's identity. SMS for identity seems like a good idea if you ignore the changing number case (people don't need to remember anything specific to your service!). However, the changing number case is obviously one to be addressed, and is non-trivial to get right. I've seen a myriad of implementations here, most of them bad or half-baked.
5 by jpalawaga | 5 comments on Hacker News.
Can we as an industry stop treating phone numbers as immutable pieces of information? They're not, and there is no easy way to know all of the services that use a particular phone number if you change your number. I had someone recover my Steam account using an old phone number. Receiving an SMS allowed them to change the email on the account, which prevents me from recovering my account. I'm baffled that there seems to be a few lapses in their recovery flow: - Steam will give your account away with via text message, even if the person has no prior knowledge of the account (username, display name, email, purchases/billing info, anything). - Email is supposed to be used as the primary recovery mechanism ("protected by steam guard email") - when you purchase games, you're asked for a ph# which is never checked against your registered number (an alert would have brought the mismatch to my attention) - The phone number was verified 3361 days ago. Never a 'hey, is this info still up to date?' message or anything. This essentially turned Steam's 2FA into 1FA. Or maybe even less, since they didn't even need a username to fully recover the account. Heck, they didn't know what account they were recovering! This seems like a particularly egregious implementation of recovery, but really it seems to hinge on the idea that a phone number is some unalienable part of someone's identity. SMS for identity seems like a good idea if you ignore the changing number case (people don't need to remember anything specific to your service!). However, the changing number case is obviously one to be addressed, and is non-trivial to get right. I've seen a myriad of implementations here, most of them bad or half-baked.
Comments
Post a Comment