Many recommend against using SMS for 2FA because of security reasons (SIM swapping, sniffing, etc), but there is another privacy+security reason: these 2FA phone numbers get leaked or sold as [Wayback/Archive] Daniel Cuthbert (@dcuthbert) found out the hard way last year:
- [Wayback/Archive] “An account manager proved to me today that @LinkedIn did indeed sell my 2FA phone number as part of their sales offering. What’s rather disgusting is that at no point did LinkedIn tell you that they were going to do this”
[Wayback/Archive] Turn Two-Step Verification On and Off | LinkedIn Help
- [Wayback/Archive] “Collection of your phone number to be sold isn’t in their Ts and Cs either: … What annoys me the most is that I’m now inundated by salespeople on a private number that has not been shared anywhere but a test for multiple 2FA devices.”
- [Wayback/Archive] “The cynic in me feels that the 2FA offering is more to harvest phone numbers, which are very valuable to sales and marketing teams than providing security. This has left a very sour taste in my mouth.”
–jeroen
The Wiert Corner - irregular stream of stuff 