2

I understand, that mobile phone verification is probably the most convenient way to validate real users and avoid spam, but those "secure/private" messengers are afterward still bound to phone numbers, and this has inherent vulnerabilities with regard to security - your whole account depends on SMS codes (and as discussed many times GSM (sms) technology is purely vulnerable).

The solution could be if the user could set up a username & password (or 2FA TOTP code), thus the phone number could be stripped from the account. However, I was unable to do that with the top 3 "secure" messengers (ironically, Facebook/Google has that feature, after setting up 2FA, you can de-associate phone number from the account). Any way to achieve that with Telegram/Signal/WhatsApp? Otherwise, I don't consider these messengers as secure as I think of security.

schroeder
  • 123,438
  • 55
  • 284
  • 319
T.Todua
  • 2,677
  • 4
  • 19
  • 28
  • They use it as your identifier. It cannot be removed. – defalt Sep 27 '21 at 06:08
  • 1
    "your whole account depends on SMS codes" -- does it? "private and secure" -- *from what*? I think you have some unexamined assumptions here and I'm thinking there might be a XY problem buried in the middle. If the tool is to provide e2e encryption between devices, then linking the device *as the account* isn't a concern at all. I think you are expecting something different from the situation. – schroeder Sep 27 '21 at 08:38
  • @schroeder no, I am not expecting something different, and I don't think we are on same page. I say, that account can be re-registered by hacker if s/he access/intercept our SMS (unless 2-FA enabled). However, the real **security** should be when SMS/GSM thing is not involved. About **privacy**, any person who has you in their contacts, sees that you joined Telegram/Signal and your username too. How this is a "privacy"? no privacy there. So, ability to disassociate the phone number would have solved both problems. That should be optional and everyone would have been happy. – T.Todua Sep 27 '21 at 09:00
  • 1
    The account *might* be registered if the SMS is intercepted (wouldn't it also require cloning?), but the new device won't get the comms on your device, right? You want privacy from people in your contact list who use the same app that you do. People who can contact you freely using other methods, but ones that would not be secure or encrypted. And that notification setting can be turned off. Where's the privacy violation? We're on the same page. I'm not seeing the threat model you're using. – schroeder Sep 27 '21 at 09:06
  • 1
    Signal and WhatsApp both have PINs and 2FA for registering on new devices, so that cancels your one point. All that's left is your privacy issue that's still unclear. I'm starting to think that this really is an XY problem. You want to solve these bigger issues you are seeing, but you've asked how to configure something specific in these apps. The answer to what you've asked is found in those services documentation or support. If you are drumming up support for your conclusions on the bigger issues, then that can't fit on a Q&A site. – schroeder Sep 27 '21 at 09:14
  • @schroeder I know here is no place to drum up support, I just asked whether there was a way to achieve something (because of my concern). What I say, is that if someone has an access to my SMS's, then s/he can register and access my messenger. Some of them might have 2-FA(or PIN) to prevent that, I understand, but I was still interested, if we don't enable 2-FA, could we also delink phone-number? about privacy, that is another question, and I think I should've asked that as a separate question. However, that was also related to phone number, and that's why I've added that to question. – T.Todua Sep 27 '21 at 11:50

0 Answers0