I wrote a comment 11 days ago talking about SMS for a second factor, but it applies in general as well: https://news.ycombinator.com/item?id=39130032 Email is better, for sure, but mostly because email providers are either controlled by the user (for us nerds with a custom domain) or a large, impersonal entity (google or similar). Neither is available to change by attackers in the same way as phone number providers are.
I work for an identity provider and we have a number of folks who want us to support this, almost always from a UX perspective.
I think that there also needs to be some onus on the phone providers, as suggested above. With the continued push to have the phone number as a global identifier (offline and online), we need our telco providers to require more to change phone numbers.
> With the continued push to have the phone number as a global identifier (offline and online), we need our telco providers to require more to change phone numbers.
No, we need to push back on this user-hostile trend, not stick on yet more band-aids.
Phone numbers are country-specific, impossible to own in any meaningful way for private individuals (unlike e.g. domain names), and add an unnecessary point of failure.
I work for an identity provider and we have a number of folks who want us to support this, almost always from a UX perspective.
I think that there also needs to be some onus on the phone providers, as suggested above. With the continued push to have the phone number as a global identifier (offline and online), we need our telco providers to require more to change phone numbers.