@dansup asking for a phone number is gating out people who don't have, can't get, or can't afford phone service

@dansup
Key point would be establishing that trust that the number wouldn't be stored because we have all seen this abused before.

@dansup In 100% of the cases where sign-up is tied to cellphones, account recovery is also tied to cellphones. The first is acceptable to me. The second is a non-negotiably unacceptable security risk.

@dansup sorry, but most likely no. If it’s for 2-factor authentication, phone/SMS-based ones have also been shown to be less secure as well as they are susceptible to SIM-hacking attempts.

Mastodon already has built-in app-based 2FA support, and I’m already using it for my account. There’s no need to use mobile phones for this.

@dansup "knowing the number" is something I can't trust. What service is used to send the code? Etc. I probably wouldn't unless I have no other choice (e.g. other instance)

@dansup How would that process verify a user as not spammer?

@dansup How would I "know" this?

I see these claims on websites all the time "we'll never XYZ your ABC". How are they verified?

@dansup You're trusting the instance owner and whomever had access with what I consider to be a very personal and important piece of information. I don't think I'd be happy with it. It's nowhere near as easy to change or anonymise as an e-mail address, password etc. for the majority of people.

Do keep in mind that verifying phone numbers gets very expensive very fast.

@dansup As long as I can read their terms of service first so I know what they plan to use it for.

@dansup How can anyone be sure that the number would be deleted?

@dansup

I'd have to be convinced it's useful or does something. On the surface,, it sounds like security theater.

I'm not sure how it's actually useful or prevents misbehavior. It seems like it only works by being a hindrance. Doing that intentionally is a bit ableist, to a greater extent than it's effective.

@dansup Even if there's a way to convince the user that the pixelfed instance would not store the number: The SMS service will store that their customer (pixelfed instance XY) did send an SMS to number YX. For accounting reasons. "Your number will nowhere be stored for this procedure" will be a lie, no matter how your software is implemented, because of how SMS services work.

@dansup An issue here is how do I KNOW that my phone number isn't being stored...

@dansup

... because you **cannot know** your # won't be saved and sold and spammed.

@profcarroll

@dansup I have a disposable SIM I use when I have to give it a phone number, so I'm already in a weird category. That said, I can be persuaded to use that number for registration if I have to.

But I'd honestly be reluctant to trust any site that said this, because:
* if it's genuinely not stored, a spammer can use the same number for 10,000 registrations and then just get another number, or
* some process will complain about the number being reused, showing it *is* being stored somewhere.

@dansup If the number won't be stored it will be useless, one spam bot could make as many accounts as it wants with the same number. Am I missing something?

@dansup this needs a “how do I know they won’t preserve the number or sell it?” option, though.

@dansup What makes you think that everyone on the planet even HAS a mobile phone? In many parts of the world those cost money and not everyone has them. And even people who do have them to often don't want to give out their number to random services on the Internet, for fear of getting increased junk/spam calls or other misuse. There is really know way of "knowing" your number wouldn't be stored and misused, as your question presupposes.

Personally I think this is a terrible idea, both because of the discrimination against people who do not have mobile phones, but also because you are asking users to trust random instance owners not to do anything bad with their phone numbers. The "bad apples" among instance owners (can you absolutely guarantee there aren't any?) are probably hoping something like this will be enabled real soon now!

@dansup another thing why phone numbers as a "spam protection" isn't a good idea: it's fucking expensive for the instance admin to do the SMS stuff and on the other hand it costs almost nothing to get yourself some phone numbers you could receive SMS on as spammer