Hopefully that clarifies for some folks why these big tech/social media companies insist on having your phone number as a “2FA for security” despite all the sim-swap attacks.. simply for this moment, because you might be using a VPN, and address/name aren’t in your google account, but definitely your phone number is there, it’s even worse if you’re using an android too, as they probably will pull out all your app/browsing history..
Saying that some PM at Google decided decade ago something like "hey guys let's build a database of our user's phone numbers to satisfy some theoretical future dragnet surveillance request from law enforcement and tell our users that it is for their own security" is actually quite ridiculous conspiracy theory if you think about it.
Credential stuffing is a huge issue for large providers and requiring 2FA is a huge mitigation. Sure, a targeting attack will make the SIM swap, but that is a huge difficulty upgrade from generic credential stuffing.
-Nobody ever.
Come on, use your brain. Even if you are talking about smaller entities who might otherwise only have names and emails, why would they want phone numbers? They don't care about identifying you. And even if they did they already have your email and name.
Step away from the tin foil...
It’s a nonsense argument to say Google can’t handle credential stuffing without SMS 2FA in place, as in not pushing all 2FA via Google Authenticator and using the very wide reach and talented security team for baseline cred stuffing. Sec tools for this, even without being Google and their very talented sec team, are pretty good.
Wanting a hard phone number is a pure identification play and also about the more likely pragmatic concern (than cred stuffing) of using Google for burner accounts.
Fingerprinting to a user, especially for a bulk request, without something to anchor on like a device id (or phone number), is harder than you make it out to be. End of third party cookies and so on has had an effect.
Because it is trivial to make a burner/secondary email address, but much less trivial to do the same with a phone number. Furthermore, everyone adds phone numbers to their contacts but very few add emails, so phone numbers are much more valuable from the perspective of inferring social graphs.
Both of these are extremely valuable for adtech and generic "growth & engagement" scum, thus why all companies matching this criteria started effectively requiring phone numbers. The 2FA/security angle is just an excuse for the true reason behind it.
I'd buy the spam reduction angle - it's a bit easier to get an email address than a phone number. But I have never seen a service require 2FA (except things like NPM and PyPI; but that's clearly for security) so I don't think it's that either.
I think it's pretty clear that the reason really is security. There's no conspiracy.
Agreed. But I disagree that the true reason is security. The true reason is better stalking which is valuable to adtech scum which now happens to be the vast majority of consumer-grade tech.
> I have never seen a service require 2FA
Try register on Twitter. They'll let you register but then randomly suspend your account for alleged ToS violations (even if the account was outright inactive) but will give you the option of instantly unbanning yourself following phone number verification. Microsoft will randomly lock out MS accounts without a phone number attached and will require a phone number for "security" upon the next login (the security angle being very dubious considering they don't have a number on file to compare to, so even an attacker can pass this challenge just fine). Etc.
> There's no conspiracy.
It's true, there's no conspiracy, it's just business and can be explained by common sense and economics. Phone numbers help tracking people. Adtech makes more money the better it can target its ads. Most consumer tech nowadays is intertwined with adtech. Said consumer tech thus optimizes for higher profit by collecting more data to help adtech.
That's the conspiracy. They don't need phone numbers for that.
It's mainly security with a sprinkling of spam/bot reduction.
Do you really think NPM and PyPI are doing it to improve their targeted advertising?
I have accounts with both of these orgs, not equipped with 2FA and none of what you describe has ever occurred.