Can we (or at least Valve) stop using SMS for identity?

Question

Can we as an industry stop treating phone numbers as immutable pieces of information? They're not, and there is no easy way to know all of the services that use a particular phone number if you change your number.I had someone recover my Steam account using an old phone number. Receiving an SMS allowed them to change the email on the account, which prevents me from recovering my account.I'm baffled that there seems to be a few lapses in their recovery flow: - Steam will give your account away with via text message, even if the person has no prior knowledge of the account (username, display name, email, purchases/billing info, anything). - Email is supposed to be used as the primary recovery mechanism ("protected by steam guard email") - when you purchase games, you're asked for a ph# which is never checked against your registered number (an alert would have brought the mismatch to my attention) - The phone number was verified 3361 days ago. Never a 'hey, is this info still up to date?' message or anything.This essentially turned Steam's 2FA into 1FA. Or maybe even less, since they didn't even need a username to fully recover the account. Heck, they didn't know what account they were recovering!This seems like a particularly egregious implementation of recovery, but really it seems to hinge on the idea that a phone number is some unalienable part of someone's identity.SMS for identity seems like a good idea if you ignore the changing number case (people don't need to remember anything specific to your service!). However, the changing number case is obviously one to be addressed, and is non-trivial to get right. I've seen a myriad of implementations here, most of them bad or half-baked.

elmerfud · Accepted Answer

What external identity information that is immutable would you like them to use? Your state or government issued ID? Because those change over time as well. Your physical address, that changes too. 2FA app on your phone sometimes those get lost or broken in an unrecoverable way as well. Perhaps submitting a DNA sample would be sufficient identity information that doesn't change over time.
As far as I can tell there is no perfect identity information that is immutable across time. For things like this you must keep the information up to date. It is unfortunate that there is not a centralized management or brokerage for this kind of thing but having a centralized identity management system comes with another set of problems whereas you have one system to breach instead of dozens of systems.
Steam does support email addresses as a second factor login and their app. It is always wise to periodically check that your identity information on every platform is up to date especially if you've moved or changed phones or things of that nature.

solardev · Answer

You can set up Steam Guard to use the mobile Steam app for auth instead. It's annoying as hell though and I wish they just supported normal OTPs.

mouse_ · Answer

Deep dive into the topic: https://www.youtube.com/watch?v=ChKpf5HjcSY

LinuxBender · Answer

For a handful of sites financial, dns registrar I use my static IP address as part of the account restriction. People can bang away at passwords, SIM-jack my phone and get nothing. It's not for everyone and I am apparently one of the few that only browse the web from a Linux workstation these days based on feedback but I have managed to get a handful of companies to support IP restrictions. They hate doing it because many people apparently don't know the difference between a paid dedicated static IP and an IP that has not changed in a year so they get locked out and it becomes a customer support PITA. It will always be my preference. Nearly all banks have the capability but the bigger banks hide it from the bankers in their UI and it requires opening a ticket with their operations staff. Many B2B SaaS providers also have and despise this option.As heavily targeted as Valve account are I think they would have far fewer account take-overs if more people had static IP's and they supported having say 3 or 5 permitted IP's, or at very least permitted CIDR blocks or AS numbers. The over-provisioned ISP's that use CG-NAT would have to use CIDR or AS number for example. This would require a fall-back method should the ISP reassign AS numbers as unlikely as this would be. Not perfect but perfect is the enemy of good.I only suggest this because I do not want yet another RSA dongle or phone app. I plan to launch my "smart" phone from a clay pigeon launcher and get a tiny dumb phone should I find one that supports VoWifi SIP and yet is truly a real dumb phone and not a mini phone running some ancient unsupported Android. I know several people that do not even have a phone. That is my long term goal.