"This is absolutely getting unwieldy to the point of being fucking ridiculous and unusable."
Agreed. The worst part, in my opinion, is the penchant of sites/providers to demand a phone number any phone number as an identity mechanism.
Which is to say, there is no way to tie this number I have just entered to my personal identity in any way, or to verify that it has any relationship with me ... but as long as I successfully enter any mobile number I pass with flying colors.
You are really only complaining about the newest iteration of the identity treadmill.
In the beginning it was just a password. Then it was a username + password. Then an email address was tacked on to support "forgot my password". Then phone number was added to support SMS-based 2FA (or, hopefully, out of band contact).
The problem is that only government IDs have a high enough assurance to reduce fraud, and our {companies, employees, consumers} seem to avoid wanting the government to be involved in internet-based identity/authentication. Having a chip used to sign encrypted messages in our government ID cards would both assure authentication and reduce all of the frictions added after the fact.
The sad part is that USA government institutions are woefully underprepared to support internet scale of adoption and the legacy services (like DMV and county/state government offices) aren't exactly known for their swift customer service (which would be required if you lose access to your government ID).
> The problem is that only government IDs have a high enough assurance to reduce fraud
That type of "assurance" is really quite irrelevant to most authentication. Google doesn't need to know the name on your driver's license or your street address, only that you're the owner of this gmail account.
> Having a chip used to sign encrypted messages in our government ID cards would both assure authentication and reduce all of the frictions added after the fact.
Or you could have the same chip in a YubiKey and get the same result without the centralization or the privacy violation of having everything tied to the same identity without your consent.
> The sad part is that USA government institutions are woefully underprepared to support internet scale of adoption and the legacy services (like DMV and county/state government offices) aren't exactly known for their swift customer service (which would be required if you lose access to your government ID).
This is just more reason why it makes no sense to have the government involved.
It's not actually that hard to get a state-issued ID in someone else's name, especially for criminals who are willing to do things like pay off government employees, but even just for someone willing to forge documents.
The government can't use good cryptographic solutions to authenticate you in order to give you the card with the good cryptographic solutions because it's chicken and egg. But without that the security will always be weak.
Starting with a card which isn't associated with any "identity" to begin with and making the service you're using it to authenticate against your "identity" doesn't have that problem, because it isn't necessary to prove "identity" when you're opening the account to begin with (the account is then empty and contains nothing to compromise) and thereafter you can use the authentication method(s) configured when you opened your account.
But then the government wouldn't be doing anything but selling blank cards you could use to create identities with various services, and any private business could do that as well.
The value of asking for an arbitrary phone number is as a challenge of last resort. Let's say that you have given the provider no useful second factor, so the account is potentially quite vulnerable to credential stuffing The phone number acts as a mechanism for rate limiting and imposing an economic cost on attackers.
To hijack accounts at bulk, you also need to procure phone numbers in similar quantities. The cost of a phone number is low, but so is the value of the average hijacked account.
If you go post something on craigslist and show your phone number as a contact method, I guarantee you that you will soon get spammed by google 2FA notifications. Around me they seem to be primarily set to a Vietnamese language.
I live in the same city as the AT&T headquarters.
AT&T and Google could also have systems to help prevent these scams, for instance I could specify the languages I speak and if SMS messages arrive in a different language, they could allow me an SMS command to flag a sender as the trigger-er of the phishing attempt.
However, AT&T could also make a phone app for billing that loads menus in less than 30 seconds to a minute, and considering they've done neither I suppose I'll take the billing app first since it gets more use than craigslist does. After all, we only pay them 60 dollars a month for a phone and another 60-100 dollars a month for DSL for quite literally decades, so I wouldn't want to strain them by requesting too much in the way of a basic level of service.
Agreed. The worst part, in my opinion, is the penchant of sites/providers to demand a phone number any phone number as an identity mechanism.
Which is to say, there is no way to tie this number I have just entered to my personal identity in any way, or to verify that it has any relationship with me ... but as long as I successfully enter any mobile number I pass with flying colors.