Min Hee Kim, Christina Yeung, Daniel Salsburg, and Joseph A. Calandrino, Federal Trade Commission
If a security feature requires user data, concerns over secondary uses of that data may influence user adoption of the feature. We explore secondary uses of phone numbers that users share for two-factor authentication. Some companies have reused these numbers for purposes unrelated to security, such as targeted advertising. Focusing on top sites, we assessed user-observable secondary uses of phone numbers in two ways. First, we examined web traffic for evidence that sites share numbers with third parties when the user enrolls in two-factor authentication. Second, we monitored calls, voicemail, and text messages to the phone numbers over a two-month period after enrollment. We observed neither form of secondary use in our analysis. Our results suggest a consistent norm against these secondary uses, with potential implications for companies considering practices that deviate from these norms.
@inproceedings{kim-20-phone-2fa-second-uses,
author = {Kim, Min Hee and Yeung, Christina and Salsburg, Daniel and Calandrino, Joseph A.},
title = {{Secondary Education: Measuring Secondary Uses of 2FA Phone Numbers}},
booktitle = {Who Are You?! Adventures in Authentication Workshop},
year = {2020},
series = {WAY~'20},
pages = {1--5},
address = {Virtual Conference},
month = aug,
publisher = {}
} % No publisher