@dansup
Key point would be establishing that trust that the number wouldn't be stored because we have all seen this abused before.

@dansup In 100% of the cases where sign-up is tied to cellphones, account recovery is also tied to cellphones. The first is acceptable to me. The second is a non-negotiably unacceptable security risk.

@dansup sorry, but most likely no. If it’s for 2-factor authentication, phone/SMS-based ones have also been shown to be less secure as well as they are susceptible to SIM-jacking attempts.

Mastodon already has built-in app-based 2FA support, and I’m already using it for my account. There’s no need to use mobile phones for this.

@dansup
It isn't really a true barrier... You can get SMS through voip services

@dansup there is really no point into using sms. Let’s have mandatory 2fa with the usual auth apps for that.

@dansup "knowing the number" is something I can't trust. What service is used to send the code? Etc. I probably wouldn't unless I have no other choice (e.g. other instance)

@dansup@mastodon.social

I suspect I will be in the minority on this one, but I am AOK with the idea.
I have been fortunate to have the most amazing admins on Mastodon, Calckey and Pixelfed. I trust them. 💯

@dansup How would that process verify a user as not spammer?

@dansup How would I "know" this?

I see these claims on websites all the time "we'll never XYZ your ABC". How are they verified?

@dansup You're trusting the instance owner and whomever had access with what I consider to be a very personal and important piece of information. I don't think I'd be happy with it. It's nowhere near as easy to change or anonymise as an e-mail address, password etc. for the majority of people.

Do keep in mind that verifying phone numbers gets very expensive very fast.

@dansup As long as I can read their terms of service first so I know what they plan to use it for.

@dansup How can anyone be sure that the number would be deleted?

@dansup

I'd have to be convinced it's useful or does something. On the surface,, it sounds like security theater.

I'm not sure how it's actually useful or prevents misbehavior. It seems like it only works by being a hindrance. Doing that intentionally is a bit ableist, to a greater extent than it's effective.

@dansup Even if there's a way to convince the user that the pixelfed instance would not store the number: The SMS service will store that their customer (pixelfed instance XY) did send an SMS to number YX. For accounting reasons. "Your number will nowhere be stored for this procedure" will be a lie, no matter how your software is implemented, because of how SMS services work.

@dansup An issue here is how do I KNOW that my phone number isn't being stored...

@dansup

... because you **cannot know** your # won't be saved and sold and spammed.

@profcarroll

@dansup I have a disposable SIM I use when I have to give it a phone number, so I'm already in a weird category. That said, I can be persuaded to use that number for registration if I have to.

But I'd honestly be reluctant to trust any site that said this, because:
+ if it's genuinely not stored, a spammer can use the same number for 10,000 registrations and then just get another number, or
+ some process will complain about the number being reused, showing it really is being stored somewhere.

@dansup
@pixelfed

Besides the privacy issue, there is standing in solidarity with those who do not have mobile phones.

@dansup If the number won't be stored it will be useless, one spam bot could make as many accounts as it wants with the same number. Am I missing something?

@dansup this needs a “how do I know they won’t preserve the number or sell it?” option, though.

@dansup another thing why phone numbers as a "spam protection" isn't a good idea: it's fucking expensive for the instance admin to do the SMS stuff and on the other hand it costs almost nothing to get yourself some phone numbers you could receive SMS on as spammer

@dansup As long as it allows use of a Google Voice or other VoIP number

@dansup Cautious enough that I already use a phone masking service for anytime someone asks me for my number

@dansup

I'm old. Give me the option to send the code to my landline or my email, please, and you can do anything you want with it.

@dansup i'd be positive to it, but not it if it is a umbrella provider like pixelfed. As there are several websites with the same brand identity but has entirely different trust as to ho is behind it. If it was one provider with a clear unique identity like a hotmail.com or Gmail.com Who I can trust (as a normie) it would be different

@dansup I couldnt join an Instance that needed a mobile phone to register I dont have a mobile phone ,theres no signal in the house or garden I have to walk to a mound on the road to get a signalHuge swathes of the area have no signal .Same for many other houses in rural areas of the UK ,only 1 out of 4 of my previous homes in the north of Scotland had a signal ,neither of my homes in Yorkshire did,its less uncommon than people think

@dansup Are you intending to block all the (many) anonymous services that offer an SMS number that simply display all incoming messages on a public web page, precisely to get around having to give out your real mobile number to potentially untrustworthy web services?
If you’re not storing the number, what prevents a spammer using just one number to set up 10,000 accounts?

@dansup this only fights spam accounts on large centralized instances.

And we don't want large, centralized instances.

We want to encourage many, small, federated instances. So IMO any effort to improve spam fighting, should go to tools and tech for fighting spam in a world with many, small, federated instances.

@dansup it would depend a lot on how much I trust the instance owner. It’s a standard approach for mitigating bots and reasonably effective - but must every social media company that’s done this has abused the data eventually. Verification by a trusted third party might be an easier sell.

@dansup “Knowing”? No could know that. How about “Hoping”, “Believing”, or “Thinking”