On several websites, when I want to log in, the website will tell me that my phone number is on file and that they will call/text me at the phone number they already have to prove it’s me. This makes some sense to me. It isn’t perfect - but it does seem to confirm that the person trying to access the system has access to a phone number previously connected to the system.
However, I’ve recently gone through a couple of sites where I need to enter a phone number so they can text me back at the same phone number. What does that do/prove? How is that useful in proving my identity? Is the site just harvesting working phone numbers?
It’s not useful at all the first time.
But, it helps to prove your identify the second and subsequent times you log in.
It also allows you to more-or-less securely recover a forgotten password.
When you create a password at a website, the site does not actually store your password. Rather, they store a one-way hash of your password. This allows the website to verify your password when you type it in, but makes it so that if an attacker gains access to the site’s database, all they get are password hashes which are difficult to impossible to reverse.
Phone numbers can be spoofed. I’m not super smart on this, but I gather that it has something to do with the system which handles SIM card changes. That is, when you get a new phone, the phone reports to a service that your old phone number now belongs to the new SIM. Those changes are approved without any human intervention, and while they can be reversed by your cell phone provider once fraud is detected (simple enough if your old phone continues to exist in the same state), the spoofing only needs to last a few minutes to bypass the 2-factor authentication.
Hence, some websites are now storing verification phone numbers using the same one-way hash methodology they use for passwords. This makes it harder for attackers to associate usernames with phone numbers in the case of a data breach. This is good for security, but it means that in order for them to send you that text message, you need to re-enter your number when you log in (as though it were a password). The site can run the same one-way hash to verify that the number you entered is the number you registered with, send a text message, and then expunge that number.
Next time you encounter one of these sites, try entering a different phone number than you normally use. I suspect you’ll find it won’t send the text.
They may be trying to prove authenticity of the phone number itself, rather than using the phone number to prove your identity.
If you can respond to texts sent to a phone number, that is evidence that you didn’t just type in some random digits to make the prompt go away, or make a mistake in typing your number, or enter some ex-partner’s phone number so you can annoy them by signing them up for Cat Facts.
They might be checking the phone number you entered against the phone number listed for you in various databases.