Why doesn’t every computer have 256 char domain name, along with a private key to prove it is the sole owner of the address?
Edits: For those technically inclined: Stuff like DHCP seems unnecessary if every device has a serial number based address that’s known not to collide. It seems way more simple and faster than leasing dynamic addresses. On top of that with VOIP I can get phone calls even without cell service, even behind a NAT. Why is the network designed in such a way where that is possible, but I can’t buy a static address that will persist across networks endpoint changes (e.g. laptop connecting to a new unconfigured wifi connection) such that I can initiate a connection to my laptop while it is behind a NAT.
- Yes, it would be a privacy nightmare, I want to know why it didnt turn out that way
- When I say phone number, I mean including area/country code
- AFAIK IP addresses (even static public ones) are not equivlent to phone numbers. I don’t get a new phone number every time I connect to a new cell tower. Even if a static IP is assigned to a device, my understanding is that connecting the device to a new uncontrolled WiFi, especially a router with a NAT, will make it so that people who try to connect to the static IP will simply fail.
- No, MAC addresses are not equivalent phone numbers. 1. Phone numbers have one unique owner, MAC addresses can have many owners because they can be changed at any time to any thing on most laptops. 2. A message can’t be sent directly to a MAC address in the same way as a phone number
- Yes, IMEI is unique, but my laptop doesn’t have one and even if it did its not the same as an eSim or sim card. We can send a message to an activated Sim, we can’t send a message to an IMEI or serial number
Thank you for such a long and detailed post! I indeed did not know about things beyond the SIM, and I didn’t know about the extra details about the country codes either. That is extremely interesting to me.
With the phone spoofing though, does that mean two factor with a phone number is basically useless? If I had authentication based on a MAC address, it would take seconds to break it. But I think, and sure hope, that auth based on phone numbers is more secure.
I think your domain name answer – that for the most part computers didnt need them – is a very satisfying answer.
Spoofing is mostly done outbound. Anyone with enough money to buy SS7 line access can redirect almost any phone line in the world, though. It’s not cheap to get access to a network like that, but it’s also far from impossible. SIM jacking is a lot cheaper and just as effective, though.
Phone 2FA is better than nothing, but worse than almost all other options. Turn it on if it’s the only 2FA method, better leave it off if you can use TOTP or another 2FA mechanism.
Wow that’s super interesting to know. So its still got some resistance, but a lot less than I thought. Thanks again for sharing!
Phone number 2FA isn’t useless, insomuch as it’s better than no 2FA at all, but it is easily the worst form of 2FA because SIM jacking (usually involves a scammer tricking a customer service agent into migrating your phone number to their device instead of yours in order to intercept the 2FA messages) is laughably simple using easily acquired info such as your DOB, address, and last 4 of your SSN.
If phone 2FA is the only option, use it. But don’t use it if you have any other option.