While celebrating the U.S.'s 4th of July weekend at a Bob Moses DJ set, my iPhone was stolen out of my bag; fortunately, I still had my wallet and keys. Even though I could observe the thief through "Find My iPhone" going to another music venue the same night for more petit larceny attempts, I knew there was little I could do.
In addition to the normal feeling of being taken advantage of, I was also starting to feel increasingly frustrated. No phone meant no contact with the greater world. Social media was out of the picture, as well as constant contact with friends and family through the various chat apps I use — only those I communicate with via iMessage, thanks to having the program on my MacBook. And while it was nice to take a break from my mild phone addiction and its many wonders, it presented greater life challenges.
Without a phone, I was locked out of personal, financial, social and professional accounts. Many services require a secondary authentication service, which is commonly done through SMS associated with a mobile phone number. "SMS," or short messaging service, is a standard text message sent using a cellular signal instead of an internet connection, unlike iMessage, WhatsApp, Signal or other web-based messaging services.
SMS 2FA is an authentication protocol that is used following the standard password input for a service — it sends a short one-time password to the user via a text message. It came as an unpleasant surprise when I discovered that SMS 2FA does not include iMessage.
New day, new identifier
When did our phone numbers become the new identifier du jour? The U.S. does not have one specific identifier that is relied upon to manage its population; instead, several identity documents like Social Security numbers, passports or state IDs have traditionally been used to verify someone's identity. But with the explosive surge in data breaches and identity takeover fraud, it has become challenging for companies and consumers alike to solely rely on these very sensitive data elements.
Phone numbers are connected to most parts of our lives. Thanks to the mass adoption of personal mobile phones, the evolution of digital ecosystems, and public awareness around how sensitive identifiers can be used — verification services have had to look for alternative identifiers. And even if this number is not truly static like an SSN—it rarely changes. Just ask anyone who has moved to a different country about the challenges here. It's logical then that more and more services would adopt phone numbers as the main identity compared to traditional identity verification services. "Phone Centric Identity," using your mobile phone number along with a password, is now being touted as the new modern way to identify consumers.
All this to say, phone numbers and SMS 2FA have been proven to be insecure and ineffective identifiers. Spoofing, SIM Swapping, Remote Desk Protocol, Man-In-The-Middle Attacks and Social Engineering are all common methods that criminals can use to effectively gain access to people's phones and take over their digital lives. Furthermore, unlike messaging apps with end-to-end encryption, SMS is built into the architecture of the mobile networks themselves. So, the security of the SMS messages we send inherently depends upon the security framework that our mobile carriers have, hopefully, and sometimes not successfully built in. And while this insecure authentication method is widely used, Forrester Research estimates that SMS 2FA stops only 76% of attacks.
Alternative authentication methods?
Following my Kafkaesque nightmare, peers in the privacy community proposed looking into some sort of authentication app, in lieu of SMS 2FA, as a more secure and effective authentication method. This version of 2FA or multifactor authentication works similarly in that it generates an OTP that users need to enter to gain access to a service. Authenticator apps typically refresh every 30 seconds, so even if a criminal somehow gained access to the OTP, the likelihood of it working for them is minimized.
Unfortunately, this is not common knowledge or easy to configure for the average consumer. Not all services offer alternatives to the 2FA SMS code option, and even when they do, setting up authenticator app support involves scanning a QR Code, inputting various keys, which I really couldn't figure out, or only works with specific authentication services.
Authenticator apps are more commonly used in a corporate context for Single Sign On (SSO) purposes than they are by sole individuals. One tech-savvy friend showed me three different authenticator apps on his smartphone, which still didn't cover all of the services for which a secondary form of authentication is required. And to add insult to injury, I could not even use these authenticator apps during the several-day period of having no phone.
The future of phones and identifiers
Despite the relief I felt upon having a mobile phone again, the whole situation left me feeling uncomfortable about our overreliance on these numbers. Perhaps it is a paternalistic thought, but I can't see how a "reasonable user" could easily take preventive measures to secure their number and manage their digital livelihood in the event that a criminal steals more than just their physical device.
Ideally, there would be a multi-stakeholder effort amongst mobile networks, device manufacturers, operating systems and major digital service providers to create a more simplified, secure and seamless method that average users could enable to access services and keep their accounts and identities protected.
More likely, we will see smaller efforts from passionate stakeholders who are looking to make a difference in this space. One exciting proposal is around decentralized identity: users would have a "wallet" that stores their credentials and personal information, which includes verified identity details that one would need to provide eligibility to complete a transaction. That information is "signed" by multiple trusted authorities to prove its accuracy. And instead of relying on passwords, unphisable cryptographic keys would authenticate users on the services they use.
The technology is still new and would result in a significantly lesser amount of data companies process about users — which is arguably good for users' privacy/security-wise and not so good for companies that monetize user data. But maybe there will come a day when digital services and the users that transact with them would widely adopt such a proposal.
Until then, I'm not letting my new phone out of my sight.
