Hashing Phone Numbers For 2-Factor Authentication
With the rise of internet and increasing risks of getting hacked, it's more than necessary nowadays that we have an extra layer of security on our accounts, since password alone is not enough. Thus, using Phone numbers for 2FA sounds much more secure, but phone numbers are considered to be much more personal than Emails and most people hestitate to give it away from the risk of getting marketing SMS, or even worse, a data breach.
Is there a need to trust these services?
You might say that you only use 2FA for important and trusted services, and they don't send marketing SMS, neither can they have a data breach, yes, most probably, they won't have a data breach, but, do you even need to give them your phone numbers?
The answer is a resounding NO, you don't need to, and the alternative is as beautiful as it sounds, these services don't need to store your phone numbers, they store the hash of your phone numbers, let's discuss how it will work.
What is Hashing and What's so special about it?
To understand a Hashing function, consider this analogy, Suppose you have a blender, you put some stuff in it and blend it completely, and you take out a spoon of the blended material, If we assume perfect blending, this spoonful of material represents our input material, and if we precisely specify the conditions of blending, we will always get same output for same input.
Thus, This Spoonful can be used to represent our input material, but the size of this output is always 1 spoon, and mostly less than the input, this implies that though this output represents our data completely, it's not enough to get original input back from it, as it's lost, what this spoonful can do is verify if another input is identical to this input if they have the same output.
But Hashes Can Collide
You may have guessed from the analogy that it is possible for two different inputs to have same output, yes, it's possible, and it does happen, in some less advanced hasing algorithms.
However, if we consider advanced Hashing Algorithms, like SHA256, (Which no one has found a collision for yet), the chances of collision are lesser than a space-rock nuking us tomorrow.
Even better, In our use case, where we are hashing phone numbers, If at all anyone wants to exploit this collision vulnerability, not only will they have to know the phone number, Find a collision, but also make sure than the colliding data is a valid phone number, which is so unlikely that we call it impossible.
Working of such a model
The working is pretty simple, and there are various ways of implementing it, so, if a company insists that they won't use your phone numbers for marketing, or, doesn't want to take risk of data breach, they can ask for your phone number, hash it and store.
When you try to log in, and want to have 2FA, you enter your associated phone number yourself (An Extra Step) and they can easily verify that it was the same phone number, they then continue with the usual procedure, This, ofcourse depends on whether they don't store your phone number anyways, Which they shouldn't, if they insist so.
Is it Feasible Though?
The only extra step involved is typing your phone number and they verifying it, and the added benefits and protection against data breach are worth more than this minor inconvenience. Now you may have guessed, Why even Emails are required, can't they too be hashed? Yes, you can, some service already do that, one I am aware of it tildes.net
We saw that it's possible to not store critical information when it's only purpose is to verify authenticity, and it's ideal for comapnies that don't insist on marketing Emails and SMS, so, they can surely do it.