A few decades ago Americans were told to safeguard their social security number (SSN) and not to divulge it unnecessarily. Today, after billions of records have been breached that federal ID is no longer considered to be a trustworthy identifier. Even the government is recognising that they can no longer rely on it and is implementing other methods to identify people.* But the newer solutions are not without their side-effects.
At the root of all cyber security is identity. You need to know WHO is doing something in order to know that the action is permissible. Identity can be determined by something you have, something you know or something you are. In the old days (five years ago) we used just a password – something you know – to verify the identity of the person accessing a system. But with the advent of mammoth amounts of public data everything that you know became known to everyone else. Finding your children’s names or where you were born is as simple as a Facebook inquiry.
To combat global information availability, information security teams introduced multi-factor authentication (sometimes called two-factor authentication). Using MFA simply means that a person must have more than a single way to confirm his or her identity. It often consists of something you know (like a password) with something you have (like your cell phone) or something you are (like your fingerprint or iris scan). You likely have been sent a text with a code in it when you have signed in to a banking application. The purpose is to prove that you have possession of the cell phone and that it really is YOU trying to use the application.
Identifying you by you being in possession of a cell phone significantly increases the value that one needs to put on that device. It also suggests that we have replaced our government issued ID with a telecom issued phone number. Just another reason to resist changing your number. But unlike the SSN that we were taught to keep private, we hand out our cell phone number to everyone. The idea of how concerned we should or should not be is complicated.
The first issue to confront is whether you want everyone to know who you are. There are benefits to calling your bank and having the person identify you by your phone number and connecting you to the right department. But not everyone wants to have Google know every location your phone visits or have Facebook know every website your phone views and then be able to tie that back to you. Marketing companies can use your cell phone number to tie back everything you do – even if you do some of it on a computer and some on the phone. Maybe you are OK with this, but if you aren’t, too bad.
Reliance on a cell phone number as a unique ID makes some assumptions that are questionable. How certain should we be that it's you? We know that the number is portable, otherwise we couldn’t get a new phone. That also means that it is possible to create a duplicate phone with the same phone number as your cell phone. It is illegal – but not difficult. How much faith should we place on everyone being honest?
There is also the question of who “owns” the phone number. If you have a company-issued cell phone you may find out that the company will not release that number to you if you end your employment with them. (A few countries, like Norway, specifically mandate that the cell phone number belongs to the employee.) It may seem moot, but if you change your phone number you might spend the better part of a day going through all the websites you regularly use to update your phone number. And you may only be able to do that if you have the old phone to properly identify yourself.
A lot of firms are relying on the fact that you have your cell phone because it is easy and inexpensive, but it’s not as fail-proof as we may want to believe. Our advice is to take care of your phone and treat it as the universal identifier that it is. And be sure to lock your phone. The 4 digit PIN is not very secure, but is better than nothing. A fingerprint or longer PIN is better. Facial recognition is somewhere in the middle.
Two Factor Authentication using a cell phone has its flaws, but it is what we have today and it far surpasses passwords by themselves. Given the option to use it, we highly recommend you opt-in.
* The federal medicare system abandoned using the social security number as an identifier in 2018 and now has its own “unique” identifier.