Two-setp authentication by app codes and user privacy violation
-
Hello!
Why does WordPress.com ask for phone number when setting up the two-step authentication using app codes (NOT SMS)?
This feels like a violation of user privacy.
Wordpress.com should ask phone number only if user selects the SMS method of 2FA.
-
Did you read the explanation at https://wordpress.com/support/security/two-step-authentication/#setup-with-an-authenticator-app?
-
Yes, I did.
Quoting the relevant part here:
First, we need your Mobile Phone number to send you verification codes when you choose the SMS method or in cases where the authenticator app on your phone is unavailable.
I am choosing authenticator method and NOT SMS method because I don’t want to share my Mobile Phone number but have 2FA.
Mandating phone number even for user who wants to set up authenticator app 2FA violates user’s privacy.
Among the websites I’ve accounts on, WordPress.com is the only website which wants user’s phone number for authenticator app 2FA. Facebook, Twitter, Reddit, etc. all those websites ask phone number only if user opts for SMS method.
This is ridiculous!
-
Hello there,
Many thanks for reaching out.
It is possible to use an authenticator app – the set up of which does require a mobile device – it’s one of the methods of which we use to verify in realtime.
Please see the set up steps for the authenticator app here: https://wordpress.com/support/security/two-step-authentication/#setup-with-an-authenticator-app
I hope this helps.
-
it’s one of the methods of which we use to verify in realtime.
You mean verify user? If yes then that doesn’t make sense and here’s why:
1. Why only verify users opting to set up 2FA? What makes them special?
2. If it’s indeed “verification” why not separate “verification” and “2FA”? Why to bundle “2FA” and “verification”?
3. And most importantly, I can insert any random phone number and WordPress.com happily allows me to set up 2FA authenticator app without verifying that number. So what are we verifying again?
I’m really disappointed at the reasoning here.
-
If you meant that the phone number is a back up option to authenticator app and backup codes then please let the user decide whether she wants phone number as a backup option or not.
User already have backup codes as “backup” to authenticator app. Please punish user for seeking an enhanced security (2FA authenticator app) by force seeking user mobile number.
-
-
1 + 2. well that’s called security and that’s all 2FA is about.
3. You can’t set a random phone number as a verification code is send to that number.you are not obliged to use wordpress.com’s 2FA. If you don’t like the system for some reason, then don’t use it.
-
1 + 2. well that’s called security and that’s all 2FA is about.
No, that’s not 2FA is about. As mentioned in my earlier post please look at the existing 2FA implementation of any other major web service. If user decides to set up 2FA authenticator app then user doesn’t have to provide her phone number.
3. You can’t set a random phone number as a verification code is send to that number.
Looks like you haven’t tried setting up 2FA authenticator app on wordpress.com. Please try first and then comment. To reiterate, With existing 2FA implementation on WordPress.com, user can give a random phone number and WordPress.com happily accepts it allowing user to set up 2FA autherticator app.
you are not obliged to use wordpress.com’s 2FA.
Actually, user is obliged to use 2FA WordPress.com. You know security and all.
-
Hi there,
Our Privacy Policy addresses how and why we collect certain information:
Under How and Why We Use Information
Purposes for Using Information
To protect our Services, our users, and the public. For example, by detecting security incidents; detecting and protecting against malicious, deceptive, fraudulent, or illegal activity; fighting spam; complying with our legal obligations; and protecting the rights and property of Automattic and others, which may result in us, for example, declining a transaction or terminating Services.
That is how 2fa is set up through WordPress.com and many companies follow the same practice in regards to asking for a phone number to set up two-step authentication to set up authentication apps.
You of course have the right to choose to not use the 2fa feature in this manner, but there are certain features you will not be able to use as a result.
Under choices:
Limit the information that you provide: If you have an account with us, you can choose not to provide the optional account information, profile information, and transaction and billing information. Please keep in mind that if you do not provide this information, certain features of our Services — for example, premium themes that carry an additional charge — may not be accessible.
But, rest assured that we take your security seriously and do everything within our power to protect your information.
Hope that helps.
-
Thanks for the reply.
many companies follow the same practice in regards to asking for a phone number to set up two-step authentication to set up authentication apps.
Can you please give the name of at least one company which asks for mobile number while setting up 2FA authentication app method (not SMS method)?
I have set up 2FA with Twitter, Reddit, Facebook, etc. and WordPress.com is the first company I came across which demands phone number while setting up the 2FA authentication app method.
You of course have the right to choose to not use the 2fa feature in this manner
As someone who values privacy and security deeply, why can’t I have 2FA authentication app set up without having to give my phone number to WordPress.com like all other companies?
-
I have set up 2FA with Twitter, Reddit, Facebook, etc. and WordPress.com is the first company I came across which demands phone number while setting up the 2FA authentication app method.
Adding some more companies to the list which implement 2FA authenticator app method without violating user privacy:
LinkedIn, Discord, Dropbox, Github, Gitlab, Cloudflare, etc.
So, may I have the name of at least one company apart from WordPress.com which demands phone number while setting up 2FA authentication app method (not SMS method)?
-
staff-doublebassd clearly explained our two-step authentication policy and it’s up to you if you want to enable it or not.
-
Hi there,
Wanted to let you know that there has been past communication internally in relation to not requiring a phone number when using the app and I added your thread to the report:
https://github.com/Automattic/wp-calypso/issues/31
We’ll be sure to keep you updated if anything changes.
Thanks,
-
Thank you very much!
For what it’s worth I use WordPress.com via desktop browser and want to set up 2FA authentication app codes method which shouldn’t need user’s mobile number.
Anyways, just subscribed to that Github issue thread. Thanks again!
- The topic ‘Two-setp authentication by app codes and user privacy violation’ is closed to new replies.
WordPress.com Forums 