[zb3]

I don't want to authenticate using something I have, because I won't be able to authenticate if I lose that thing. Phone number is something I legally own and this ownership can be enforced because I can get a new SIM card with the same number using my government ID - something I am rather than I (temporarily) have

[shortcake27]

This is not exactly true for many countries.

In Australia, for example, telcos get punished heavily for delaying ports but don’t get punished for unauthorised ports. This disincentivises telcos to perform any due diligence whatsoever. Up until a few years ago, anyone could walk into a telco and port any random number onto a new sim. These processes are improving, but sim swapping is still trivial.

Not to mention SMS is also an unencrypted medium.

I avoid using my phone number for MFA unless I’m forced into it (which sadly happens quite often).

[ggm]

This is counter to my understanding. I've always believed SIM porting attacks are both harder and less frequent in Australia compared to the USA

[shortcake27]

I can’t speak to USA vs Australia as I don’t know what the process is like in the USA, but this is how Australia works. The regulation originated from good intentions - in the 90s telcos would make it difficult for people to port their number, so ACMA stamped that out by prohibiting the losing telco from denying/delaying a port. It was up to the gaining telco to verify the identity of the owner, which was rarely done. You could just walk into a telco, give them your number, and get it ported to a new phone/sim immediately. I did it plenty of times in the 2000s.

Unfortunately these regulations now hurt the consumer more than they help. Imagine if you could transfer a domain name without a transfer code or confirmation from the owner or current registrar. That’s what phone numbers are like in Australia. I absolutely want my telco to deny a port without my permission, but regulation prevents them from doing this. Instead, I have to rely on every other telco in Australia doing their due diligence if someone tries to port my number. It’s a losing battle because my identity has been leaked several times in the past few years. I have to assume that at any moment my phone number will be ported away by a bad actor.

I believe this is being reformed to require explicit approval from the owner. But this is very late and inferior compared to other countries such as the UK with PAC codes etc.

[ggm]

I live in Australia, and every number port has required me to have the old SIM live, and respond to an SMS token exchange, before the receiver could proceed. Or, present the 3 trick questions and be recorded with the telco desk, and incur liability.

I've done three: Telstra to A now defunct MVNO back to Telstra and now Aldi.

I have never been able to socially engineer the change without either other online proof of posession, or this SMS exchange. Never.

Maybe I just found providers who implemented tighter controls.

I wasn't clear, that I also believe the RATE of sim port attacks in Australia is far, far lower than in the USA. I don't doubt some happen, but I think we have less per head of population. In part, I think the 100 points checks and KYC plays to this.

[edf13]

Not sure you legally own a phone number... isn't more of you legally have the right to use it whilst the telco allows it/and you pay your bill?

[red_trumpet]

Isn't the telco contractually required to let me use it? Not sure about the US, but in Germany I think you even have the right to keep your phone number when changing telcos.

[easyThrowaway]

I guess it depends on the jurisdiction, but in Europe (at least, France and Italy I'm certain of) the phone number is treated as personal sensitive data[1] and "owned" by the contract owner, not the telco.

[1] https://commission.europa.eu/law/law-topic/data-protection/r...

[ThePowerOfFuet]

No, this is not ownership.

[krmbzds]

You might get pwned by (1) the government, (2) your mobile carrier, or (3) a hacker that can social-engineer your mobile carrier's tech-support (SIM jacking / SIM swap attack).

[zb3]

Yes, that's true, but it's not an argument in favor of authentication based on something I have. I don't think we can prevent everything, but I at least want there to be some way to undo the damage (things like courts, chargebacks and so on).

[krmbzds]

I think the argument for something you have is cyber-physical security. No matter how advanced malware is it won't be able to extend a finger through your monitor and tap the capacitive touch sensor of your Yubikey.

[world-set-free]

Just to warn, social engineering attacks can get sims transfered without your involvement. There were some stories about it here somewhere a very long time ago.

[zb3]

Yes, I know - my method isn't perfect. But at the same time I don't want to rely on some "irreversible" purely technical solutions to the complex problem of (human) authentication.