Email account that works for this mailing list _and without a cell phone number_
Jeffrey Walton
noloader at gmail.com
Sun Oct 19 05:52:03 UTC 2025
On Sat, Oct 18, 2025 at 11:47 PM Ralf Mardorf via ubuntu-users
<ubuntu-users at lists.ubuntu.com> wrote:
>
> On Fri, 2025-10-17 at 10:37 +0200, Oliver Grawert wrote:
> >
> > Did you consider just biting the bullet and investing 20€ into a cheap
> > pre-paid cellphone ? (I just had to get one for my mother and got her
> > a Nokia 105 and Vodafone CallYa card on Amazon for 19,48€ total ...)
> >
> > It's not like you need to use it for more than receiving these SMS
> > after all and for banking stuff like paypal it actually makes a lot of
> > sense to have two factor auth ...
>
> I may have to bite the bullet at some point, but I take the issue of
> cell phones very seriously. The media always talk about it being a
> serious issue, but it's not really taken seriously.
In the United States, NIST stopped approving SMS codes sent to cell
phones for authentication at higher assurance levels around 2019 (if I
recall correctly) due to SIM-Swap and Port-Out fraud. The FCC also
started the rule making process to adopt the same in 2021. "Higher
assurance levels" are AAL 2 or above. AAL 2 is the interesting one
because it is where multi-factor is used. See
<https://pages.nist.gov/800-63-4/> and
<https://www.federalregister.gov/documents/2021/10/15/2021-22099/sim-swapping-and-port-out-fraud>.
> As far as two-factor authentication is concerned, there is OTP
> authentication, voice SMS to landlines, and so on. People want mobile
> phone numbers for completely different reasons.
I don't even have a cell phone. I got rid of mine back in 2016. I
now use a device-based authenticator -- a YubiKey. I also use
KeySmith for a software based authentictor. If a company does not
support YubiKeys or provide security parameters for KeySmith, then I
don't do business with them.
> Well, I guess that would be the so-called proper use of a cell phone, to
> only use it to receive SMS authentication codes.
In the United States, see NIST SP 800-63B for approved methods of
authenticating users at all assurance levels. They do not include OTP
codes sent via SMS. And in the US, you can use a cell phone to run an
app that generates HOTP or TOTP codes. See
<https://pages.nist.gov/800-63-4/sp800-63b.html>.
> I've never heard anyone say that you just have to learn how to use
> crystal meth properly. You could just take it when you're not feeling
> well and otherwise put it aside, like a cell phone.
>
> Seriously, though, when I step out my front door, among the 20 people I
> encounter, there are most likely zero drug zombies, zero people paying
> attention to traffic, but 20 smartphone zombies.
>
> Being more or less forced by companies to use a cell phone to cope with
> everyday life goes far beyond the sale of illegal drugs.
Jeff
More information about the ubuntu-users
mailing list