Can a company website refuse to allow me to sign up without a mobile number?

pbartlett

2FA is not and never has been about 'verifying identity'

2FA is about verifying credentials - eg login credentials, transaction credentials etc etc

Andy_L

whalemoney said:

custardy said:

Of course its lawful. They can sell/not sell to whomever they wish.
Using your supermarket example.
Tesco have a special set of instore prices only available if you provide them with personal details. They call it Clubcard.

What on earth are you on about.  My example is a supermarket wouldn't be allowed to refuse entry.  So your Tesco Clubcard example is utterly ridiculous.  Tesco aren't refusing to allow entry to customers that don't have a clubcard are they.

Cash & Carries won't let you in without a membership card

unholyangel

PragmaticMoneySaver said:

unholyangel said:

Nor is a mobile phone number more secure than an email address, landline number or a postal address (it's actually less secure). 

I'd beg to differ.

In the scheme of multi factor authentication a mobile number relies on the "something you have" principle so you physically have to have the device.
An email address has no physical presence so cannot be the physical element of something you have.
A postal address is "somewhere you are" so addresses another principle

That may be the reliance that is placed on mobile devices (that you need to physically have it) by banks or other companies, but ask any data security expert and they'll tell you it's a very misplaced reliance. 

And if you'll note, I said a postal address is more secure than mobile number...for the very reason that it's not online and you do physically have to have access to it.

Also the something you have is regarding strong customer authentication required by banks. Not all MFA/2fa/2sv requires it to be physical. 

PragmaticMoneySaver

That may be the reliance that is placed on mobile devices (that you need to physically have it) by banks or other companies, but ask any data security expert and they'll tell you it's a very misplaced reliance. 

Indeed it is a misplaced reliance as it is very easily spoofed/changed/diverted.  But in the absence of a provided challenge/response authentication device it is one method that is easily accessible to the masses. 

Also the something you have is regarding strong customer authentication required by banks. Not all MFA/2fa/2sv requires it to be physical. 

No, that is exactly the point of multi factor authentication it can be many things.  Whilst mobiles are not particularly secure as a method, they are rarely used as a single point of authentication, the more points (hence multi) the added security - even if those points of security are weak they are still an additional barrier to a bad actor.   Any data security expert will tell you that it is downright impossible to be 100% secure with no chance of breach but the more obstacles that are put in place the harder it is to breach data security.  It must be a balance between added security and maintaining accessibility with a reasonable cost.

For example, it is theoretically possible for all banks to issue all customers with challenge-response devices that require to be unlocked by biometric authentication whilst geofenced in a specific area in a time coded access period granted by telephone request.  This would of course be ridiculous, expensive and over complicated therefore a reasonable approach is taken guided by the organisations data security risk assessment.

unholyangel

PragmaticMoneySaver said:

That may be the reliance that is placed on mobile devices (that you need to physically have it) by banks or other companies, but ask any data security expert and they'll tell you it's a very misplaced reliance. 

Indeed it is a misplaced reliance as it is very easily spoofed/changed/diverted.  But in the absence of a provided challenge/response authentication device it is one method that is easily accessible to the masses. 

Also the something you have is regarding strong customer authentication required by banks. Not all MFA/2fa/2sv requires it to be physical. 

No, that is exactly the point of multi factor authentication it can be many things.  Whilst mobiles are not particularly secure as a method, they are rarely used as a single point of authentication, the more points (hence multi) the added security - even if those points of security are weak they are still an additional barrier to a bad actor.   Any data security expert will tell you that it is downright impossible to be 100% secure with no chance of breach but the more obstacles that are put in place the harder it is to breach data security.  It must be a balance between added security and maintaining accessibility with a reasonable cost.

For example, it is theoretically possible for all banks to issue all customers with challenge-response devices that require to be unlocked by biometric authentication whilst geofenced in a specific area in a time coded access period granted by telephone request.  This would of course be ridiculous, expensive and over complicated therefore a reasonable approach is taken guided by the organisations data security risk assessment.

Just to be clear, I'm not suggesting that no one use mobiles for MFA ever. Just that 1) I agree with OP it doesn't prove your identity, 2) they shouldn't make it their only method (because of the security flaws and high probability it would discriminate against certain characteristics) and 3) no one with any expertise on the subject would suggest a mobile phone is secure.

Robbo66

whalemoney said:

custardy said:

Of course its lawful. They can sell/not sell to whomever they wish.
Using your supermarket example.
Tesco have a special set of instore prices only available if you provide them with personal details. They call it Clubcard.

What on earth are you on about.  My example is a supermarket wouldn't be allowed to refuse entry.  So your Tesco Clubcard example is utterly ridiculous.  Tesco aren't refusing to allow entry to customers that don't have a clubcard are they.

No but they do offer discount to people that have a club card. Some of the products have a club card price so if you don't have one you pay a slightly higher price.

beeg0d

whalemoney said:

custardy said:

Of course its lawful. They can sell/not sell to whomever they wish.
Using your supermarket example.
Tesco have a special set of instore prices only available if you provide them with personal details. They call it Clubcard.

What on earth are you on about.  My example is a supermarket wouldn't be allowed to refuse entry.  So your Tesco Clubcard example is utterly ridiculous.  Tesco aren't refusing to allow entry to customers that don't have a clubcard are they.

However there IS a supermarket that DOSE refuse entry without givng them your phone (and there is indeed security to provent you entering without presenting your phone). Amazon Fresh stores, you need to scan the amazon shopping app from your phone to gain entry, no phone no entry and as far as im aware they havent been shut down by the police just yet.

custardy

whalemoney said:

custardy said:

Of course its lawful. They can sell/not sell to whomever they wish.
Using your supermarket example.
Tesco have a special set of instore prices only available if you provide them with personal details. They call it Clubcard.

What on earth are you on about.  My example is a supermarket wouldn't be allowed to refuse entry.  So your Tesco Clubcard example is utterly ridiculous.  Tesco aren't refusing to allow entry to customers that don't have a clubcard are they.

Well it was yourself that specifically mentioned websites as an issue for 2FA and then drew comparisons with bricks & mortar establishments. 
You can buy Myprotein products in stores or websites no offending your mobile issues, so I suggest you do so 
You will have limited range and be paying more but your mobile number will of course be quite safe

IvanOpinion

unholyangel said:

Just to be clear, I'm not suggesting that no one use mobiles for MFA ever. Just that 1) I agree with OP it doesn't prove your identity, 2) they shouldn't make it their only method (because of the security flaws and high probability it would discriminate against certain characteristics) and 3) no one with any expertise on the subject would suggest a mobile phone is secure.

In response to your points
1. You are correct that it does not prove identity it but it significantly reduces the risk that it is someone else.  If you really want proof maybe they just request a DNA example everytime you log on.
2. There is no discrimination against anyone, because there is usually other, often complicated, means of verification for those that genuinely need them (as opposed to those that choose to make mountains out of molehills)
3. It is not the mobile phone that is the concern, it may or may not be secure depending on the software.  So SMS is more secure than email is more secure than passwords is more secure than nothing, but dedicated authentication apps running on exactly the same phones will provide more security (of course you could go with many more authentication factors - the most I have come across in my job though has been 4 factor authentication: password, authentication app, fingerprint  and mobile phone had to be traceable to specific sites).

unholyangel

IvanOpinion said:

unholyangel said:

Just to be clear, I'm not suggesting that no one use mobiles for MFA ever. Just that 1) I agree with OP it doesn't prove your identity, 2) they shouldn't make it their only method (because of the security flaws and high probability it would discriminate against certain characteristics) and 3) no one with any expertise on the subject would suggest a mobile phone is secure.

In response to your points
1. You are correct that it does not prove identity it but it significantly reduces the risk that it is someone else.  If you really want proof maybe they just request a DNA example everytime you log on.
2. There is no discrimination against anyone, because there is usually other, often complicated, means of verification for those that genuinely need them (as opposed to those that choose to make mountains out of molehills)
3. It is not the mobile phone that is the concern, it may or may not be secure depending on the software.  So SMS is more secure than email is more secure than passwords is more secure than nothing, but dedicated authentication apps running on exactly the same phones will provide more security (of course you could go with many more authentication factors - the most I have come across in my job though has been 4 factor authentication: password, authentication app, fingerprint  and mobile phone had to be traceable to specific sites).

Not quite sure you've though out your response. 

Point 2 doesn't apply where there are other methods and that should've have been evident from my saying it shouldn't be the only method. 

Point 3 there are mobile phones that are more or less secure. There's no mobile phone that is 100% secure. 

Why do you think sms is secure? You realise the phone itself can have software installed which allows someone to see everything? Even the stuff you delete?