I've been using my Hotmail, Gmail, and Amazon accounts for a while now and I intentionally removed my phone number from the first two, opting for an authenticator app instead for two-factor authentication (2FA). I even got Yubikeys for added security. Recently, I faced challenges removing my phone number from Amazon, but found a workaround by temporarily disabling 2-step verification. After removing my phone number, I re-enabled 2-step verification, relying solely on the authenticator app for access.
Given my background in computer programming, I understand the risks associated with phone number-based authentication, such as SIM swapping. I even executed a SIM swap in the past, so I'm aware of its vulnerabilities. My concern is that Google, Microsoft, and Amazon repeatedly suggest that TOTP is insecure and that my account wouldn't be recoverable without a phone number. However, I have backups of my codes on both my phone and computer—an advantage over SMS, which can only reach one device at a time. Why do these companies spread what seems to be misinformation about the security of TOTP versus phone numbers? I would expect a better understanding from tech giants given their resources and expertise.
4 Answers
It's frustrating, right? A lot of this boils down to money and user management. Tech companies want to keep users within their systems. By pushing phone number verification, they're basically ensuring they can track and market to you more effectively. Plus, they probably see it as a way to minimize support calls related to account lockouts. Nobody wants to deal with angry customers who can't access their accounts if they lose their TOTP codes! It's easier for them to just have a phone number for recovery, even if it isn't the best security practice. Users aren’t always as tech-savvy as you, unfortunately.
You make a solid argument, but your recovery methods are risky. If something happens to both your phone and computer where you've stored your codes, getting back into your accounts could be a nightmare. That said, you're right about the potential recovery issues with SMS too. Companies likely emphasize phone verification as a means to ensure they're able to assist users who might lose access to their TOTP codes. But yeah, I agree, they really need to improve their communication regarding TOTP! It's misleading for sure.
Totally get your point about TOTP being more secure than SMS, but remember that most users don’t use it properly. The average person is more likely to lose their TOTP codes than their phone number. Companies deal with a lot of support requests, so they might prefer the simpler backup method with phone numbers. Honestly, companies often prioritize user convenience and retention over pure security measures; it's a tough balance.
Don't overlook that giant tech companies often use user data for additional profit. When they tie your phone number to your account, they get the opportunity to collect and sell your data, which is another reason they might discourage certain authentication methods. It's all about control and monetization of user data, and they probably think it’s easier to manage with the old phone number method.
Related Questions
Cloudflare Origin SSL Certificate Setup Guide
How To Effectively Monetize A Site With Ads