[tictok4]

>biggest tech companies in the industry do it anyway.

because it provides identity.

[ubercow13]

No it doesn't, it just provides proof that you currently have access to that phone number. Phone numbers are not identity.

[propogandist]

Most people aren't walking around with one time phone numbers, they have a phone number that's shared by family, friends and co-workers that will consistently resolve to the same individual whenever someone wants to connect.

Being a unique number that is tied to a single individual, it can function as a proxy for identity. This, obviously, assumes you are operating like the average user.

[marcosdumay]

There are plenty of attacks where some random person can get hold of any phone number for a few seconds. It is not a proxy for identity, as it's available on demand for the exact people trying to impersonate you.

[lone_haxx0r]

Regular people don't "have" or control any phone number, telcos do.

[criley2]

So, then, the only option is multi-factor biometrics. Everything else is just "not identity", right?

And even then, biometrics can't usually differentiate between twins.

For twins, there is arguably no way for software to demonstrate identity, ever.

Social security? Proves you're holding a card.

Biometrics? Proves you're one of multiple with these exact genetics.

Etc. I literally cannot think of a way to definitively and authoritatively tell twins apart in software.

[simpss]

I have a public/private key-pair from my local government. Comes with my passport and is guaranteed by the gov to represent a single person only.

Although, I wouldn't want to give the public key to google/amazon/facebook/twitter :)

[criley2]

In the twin example, what is to prevent your twin from taking your documentation and receiving a public/private key in your name?

Or simply access that key of yours and use it?

The public/private key only prove you hold the keys, not that you are you.

Not identity, just proves you have access to the keys.