How? Most of the services I use, from Walgreens to banks to retirement accounts, require a phone number either for 2FA or just to verify that you’re you when signing up. After changing my phone number this year and having to go through the rigamarole for each service, I decided never again.
I've had limited luck feigning ignorance with a bank recently. "I don't know why I'm not getting a code" "No, I don't have another phone number" "I still can't log in to the web portal". They dropped the phone number requirement in favor to sending the OTP to email in the end, but it took way more effort than is reasonable. I tend to include a request to the CS person to pass along a request for TOTP/authenticator apps but given the request for a phone number is likely intentional I doubt the feedback is getting too far. In my naive mind, if enough people do the same, maybe they'll get the message.
Yeah, companies are not dumb, and they know when you have VoIP number vs a full account with an "accepted" company.
I can kind of see why not allowing 2FA to a number that could be easier to loose, but that's weak argument. Of course they don't want someone from .ru to get a US number with all of the baggage that would entail
There are flaws to their methodology. For half the companies, to change your number from A to B, you first must verify a NONCE with A, then verify a NONCE with B. This just means you have to possess two phone numbers for a period of time — Weeks, or in reality, months — while you change the long list of services over to the new phone number.
There is a simpler/better way and that is to verify you have your email address before allowing you to do a NONCE with B.
