For a moment I was thinking that perhaps this could be the foundation for something to replace Google Voice for some people. Unfortunately I am not sure that most SIP telephone numbers will be usable for things like account verification.
If I get a number via Twillio/$X is the receiver of the call able to tell? I haven't spent a lot of time with SIP and POTS stuff. All my time has been WebRTC and got into SIP for work.
Unfortunately, yes. After I ported my number from at&t to google voice, a lot of services refused to accept it. Requiring SMS 2FA with an non-VOIP number seems to be a common anti-spam measure these days. It's often required for new accounts
Yes, there are many APIs available to look up the carrier that services a phone number. You can sort these carriers into categories (landline, mobile, VOIP...) and many services won't accept the number for SMS OTP use if the carrier isn't a "real" mobile carrier, in a somewhat hamfisted effort to prevent fraud.
As a counterexample I long ago ported my landline phone number to a SIP provider that supports SMS and due to the phone number being baked into various accounts the family has, I know it works for verification at least for those services (one of which is a bank).
You figured out the right way to do it: porting an existing number. That is a good workaround for the easy way to do “service provider lookups” via an NPA NXX database like https://localcallingguide.com/lca_prefix.php. I suspect that if you go there and enter your area code and NXX you’ll see it listed as your original landline provider and not your SIP provider. When you go to provision a phone number from Twilio’s own pool, you’ll often see that all of the numbers come from a small number of NPA-NXX-xxxx blocks and those blocks are the ones that many 2FA and user auth services reject.
To get a little deeper into it, Twilio (in Canada at least) doesn’t often own the NPA-NXX block either. Around where I am, the blocks are generally owned by IrisTel, who is a SIP provider in their own right. An old client of mine that had a data residency/privacy issue (their client required all of their data to be processed in Canada) ended up provisioning some numbers directly with IrisTel and doing that integration using FreeSWITCH.
I ported my longtime cell number into GV a while back and have also noticed that it kept working everyplace where I ended up leaving it. I suspect they only run these checks upon the addition of the number, and not ever again.
I hate that the fraudsters make it so that we Can't Have Nice Things, but I also see why and if anything we need more ways to add costs (calibrated to be manageable to spend once, but costly if you get banned daily) for account creation in a lot of places.
I've encountered several services that demand a mobile number for verification. Google Voice numbers are rejected and surprisingly, so are landline numbers. Only numbers for mobile are accepted. It's just another case of how the tech world has outsources identity verification to the mobile telecom companies.
Companies that mandate use of another company offer a good reason to shun both companies, when there are independent competitors which prioritize customer relationships over "business partner" relationships.
SMS is woefully insecure for multi-factor authentication, when we have TOTP and other open standards that work with local-only password managers.
And not only that, most companies that involve SMS in their IDP make it a master key (a single-factor) -- if you can read one text, you can take over the whole account without even having the password. I keep waiting for this to change, but out of all my banks not one supports a proper TOTP.
It's really annoying, especially when they frequently then expect you to enable that cell number as not only a 2FA but really a 1FA (capable of resetting your password WITHOUT the password).
It's because it's super cheap and simple, though, and that's about it.
My impression is that SIP providers are usually not regular telephony companies. So by looking at who the provider is, it is often possible to determine that it is a SIP number and not a regular number. Which in turn might lead to the phone number you are paying for not being usable for account activation. Because websites will think that you are a spammer.
It used to be the wild west but FCC is tightening up (maybe even going too far, we'll see). STIR/SHAKEN and KYC (know your customer) rules are making it more expensive for providers to allow any traffic over their networks. Shady providers would look the other way at spammers pumping traffic (providers getting paid); shady providers mix legitimate traffic in so upstream carriers can't just block them, etc.
Now, there's more regulatory teeth to go after the shady providers allowing this traffic.
No, at least not without spinning up your own MVNO, registering it, and getting the phone numbers you care about ported over to it.
The provider information isn't encoded in the calls themselves, there's essentially a (number of) centralized databases that can be queried to get provider information, out of band.
It's really up in the air as far as VoIP/SIP and phone numbers. We have certain "mobile" version(outside US/CA) DID numbers that seem to work well with oAuth SMS. (OpenAI uses them among others).
