[danShumway]

I assume that Twitter's security team isn't dumb. But, I wish companies would stop even allowing users to use phone numbers to validate identities -- it's actively less secure than using an email address, and literally everyone on the platform has an email address. There is zero reason for Twitter/Paypal/etc to ever use a phone number to contact me -- email will always be more secure.

Privacy concerns aside, this is one of the primary reasons why I try not to give my phone number to websites I sign up for. I can't trust them not to treat it like an authentication mechanism. OP didn't want to use his phone number as authentication. This was a setting somewhere that got enabled by default, even though for the most part, nobody should ever have it enabled.

Why does this setting exist?

It really feels like a juvenile security mistake to me, and I don't understand the reasoning behind Twitter's security team being OK with it. To me, this seems like a mistake on the same level as using security questions or mandating password expiration. Maybe there's some justification I'm missing, but right now it's difficult for me to imagine what it would be.

[scottsousa]

You're absolutely right that SMS two-factor authentication isn't secure and that it is the default on Twitter [0].

IIRC at the time I was going to setup two-factor authentication on my device (and to this day), I had an issue with the camera where I could not scan a QR code. On most other platforms I am able to enter in the secret code for my authentication app manually. On Twitter (not sure if this is still true) they did not provide the secret code for me to enter manually.

[0] - https://help.twitter.com/en/managing-your-account/two-factor...

[rrix2]

> literally everyone on the platform has an email address.

This may be true in nations that have had ubiquitous internet access, but in many quickly-growing markets this is not true.

[danShumway]

I was referring specifically to Twitter -- it's been a while since I checked, but doesn't Twitter require an email address for every account on signup?

If you're offering a service that doesn't rely on email, I do see a gray area there for using SMS as a fallback; but most services I use don't fall into that category. I've even seen banks go down this direction -- banks that both require me to have an email to make an online account, and that are only operating within the US.

Lyft in particular weirds me out, because (third-party services excluded) Lyft only works via an app and a web interface. And yet there's no option to sign into the Lyft website using anything other than SMS. I'm required to use an insecure SMS login even though I literally can't request a Lyft ride without an Internet connected device.

I understand having options for developing nations, I don't understand using those options as a default, or even going so far as requiring users to leave them open.

[rrix2]

> I was referring specifically to Twitter -- it's been a while since I checked, but doesn't Twitter require an email address for every account on signup?

I see, I misunderstood. it does not require an email address on signup, they’ve been pushing more and more aggressively to force new accounts to have numbers tied to them in fact[1]. https://mobile.twitter.com/i/flow/signup in a private browser tab in fact defaults to phone number and the email flow is deprioritised.

I agree that it should never be required, much less the only factor. Nothing good can come of it but these companies get to lean on Trust and Safety as an excuse to collate this information for nonconsensual purposes.

[1] https://www.reddit.com/r/privacy/comments/8e5m73/twitter_is_... and some other stuff that I’m too tired to search hn for

[danShumway]

Oof. That's disappointing to hear, but I appreciate the heads up.

My more cynical side agrees with you that the shift is probably mostly explained by data collection and user monitoring. I would like to give Twitter's security team the benefit of the doubt, or say that they're expanding into different markets and it's an accessibility thing, but... I dunno. I'm not sure I actually believe that.