"Guys, we know our users' names, addresses, all of their emails, browsing history, location history and contacts... but we're missing the critical information! Their phone numbers! Can anyone come up with a security justification for asking for it?"
-Nobody ever.
Come on, use your brain. Even if you are talking about smaller entities who might otherwise only have names and emails, why would they want phone numbers? They don't care about identifying you. And even if they did they already have your email and name.
Fingerprinting to a user, especially for a bulk request, without something to anchor on like a device id (or phone number), is harder than you make it out to be. End of third party cookies and so on has had an effect.
Because it is trivial to make a burner/secondary email address, but much less trivial to do the same with a phone number. Furthermore, everyone adds phone numbers to their contacts but very few add emails, so phone numbers are much more valuable from the perspective of inferring social graphs.
Both of these are extremely valuable for adtech and generic "growth & engagement" scum, thus why all companies matching this criteria started effectively requiring phone numbers. The 2FA/security angle is just an excuse for the true reason behind it.
None of that is related to providing identities to the government, which was his tin foil hat conspiracy theory for why 2FA is used.
I'd buy the spam reduction angle - it's a bit easier to get an email address than a phone number. But I have never seen a service require 2FA (except things like NPM and PyPI; but that's clearly for security) so I don't think it's that either.
I think it's pretty clear that the reason really is security. There's no conspiracy.
> None of that is related to providing identities to the government
Agreed. But I disagree that the true reason is security. The true reason is better stalking which is valuable to adtech scum which now happens to be the vast majority of consumer-grade tech.
> I have never seen a service require 2FA
Try register on Twitter. They'll let you register but then randomly suspend your account for alleged ToS violations (even if the account was outright inactive) but will give you the option of instantly unbanning yourself following phone number verification. Microsoft will randomly lock out MS accounts without a phone number attached and will require a phone number for "security" upon the next login (the security angle being very dubious considering they don't have a number on file to compare to, so even an attacker can pass this challenge just fine). Etc.
> There's no conspiracy.
It's true, there's no conspiracy, it's just business and can be explained by common sense and economics. Phone numbers help tracking people. Adtech makes more money the better it can target its ads. Most consumer tech nowadays is intertwined with adtech. Said consumer tech thus optimizes for higher profit by collecting more data to help adtech.
> Try register on Twitter. They'll let you register but then randomly suspend your account for alleged ToS violations (even if the account was outright inactive) but will give you the option of instantly unbanning yourself following phone number verification. Microsoft will randomly lock out MS accounts without a phone number attached and will require a phone number for "security" upon the next login (the security angle being very dubious considering they don't have a number on file to compare to, so even an attacker can pass this challenge just fine). Etc.
I have accounts with both of these orgs, not equipped with 2FA and none of what you describe has ever occurred.
-Nobody ever.
Come on, use your brain. Even if you are talking about smaller entities who might otherwise only have names and emails, why would they want phone numbers? They don't care about identifying you. And even if they did they already have your email and name.
Step away from the tin foil...