Take it from me: never, ever get a new phone number

Two years ago, I got a new phone number. In the eyes of my social media and ride-hailing apps, Amazon, my bank, and the state of Pennsylvania, that effectively meant I lost my identity. Only recently have I emerged from this technology-induced quagmire.

Sitting at my desk with a new smartphone in hand, I slowly rotated my head up and down while staring into the front-facing camera. Then, without breaking eye contact with the lens, I carefully turned my head from one ear to the other. The short clip was supposed to prove to Instagram's security system what I had been insisting for weeks: that I was not an imposter — that I was, in fact, me.

"Thank you for your selfie video," the automated email from Instagram said. "We received this information and it's pending review."

I not only had forgotten my Instagram password but also no longer had access to my old phone number: Since I'd last logged in, I'd switched to a money-saving family plan with a new mobile provider. To get past Instagram's two-factor authentication security — where the app verifies your identity by texting you a secret code — and regain access to 12 years of cat photos and filtered city skylines, I had to upload a video of my face.

As I awaited Instagram's response, I imagined somebody from the company's security team watching my selfie video, eyeballing the pictures I'd posted to my account over the years, and confirming my identity once and for all. A few minutes later — far too quickly for a real person to be behind it — an email arrived. "Your Information Couldn't Be Confirmed," the subject line said. My information? You mean, my face?

"We weren't able to confirm your identity from the video you submitted," the message said. "You can submit a new video and we'll review it again."

As fun as this game sounded, I had other things to take care of.

I figured that suddenly switching phone numbers would result in some headaches, but I didn't foresee how complicated it would actually become. From Lyft and Cash App to Instagram and Amazon, I suddenly had to jump through logistical hoops that varied from one platform to the next to verify my flesh-and-blood identity and regain access to my digital life. Confirming my identity became a part-time job. And as I learned the hard way, fellow human beings who could help me sort things out were hard to come by.

While the origin of text-message-based two-factor authentication goes back as far as the 1990s, it wasn't until the early 2010s that it really started to proliferate. As more people bought smartphones, it seemed convenient to use a person's phone number as a way to confirm their identity. At the same time, the growing frequency and sophistication of data breaches and cyberattacks rendered traditional passwords nearly useless, prompting then-President Barack Obama to write an op-ed in The Wall Street Journal in 2016 imploring citizens to "move beyond passwords" and embrace additional layers of security to protect their data. Even in 2024, hackable passwords like "1234" and "password" remained alarmingly common.

By requiring people to take an extra step (or two) to verify themselves, multifactor authentication offers a massive security improvement over the traditional password. Thanks to remote work, MFA adoption is on the rise: 64% of people using Okta use some form of multifactor authentication, a 2023 report by the company found. Before the pandemic, it was 35%.

Despite its benefits, the system developed a serious flaw somewhere along the way: SMS-based two-factor authentication, which relies on calling or texting someone's phone to verify their identity. Unlike MFA methods that rely on an authenticator app, text-based authentication is arguably the least secure way to verify someone's identity. Unfortunately, it's also one of the most common.

"We often see that less mature organizations have standardized on using that SMS-based code," said Cristian Rodriguez, the field chief technical officer for the Americas at the cybersecurity firm CrowdStrike. Apple, Google, Zoom, Slack, Dropbox, PayPal, and most major US banks and universities are on the long list of sites that still use it.

"It's also easy to intercept," Rodriguez said of the method. "SIM swapping is a really easy way to circumvent that as an attacker."

In a SIM-swapping attack, a hacker can gain control of someone's phone number and wreak havoc on their lives. From their bank and social media accounts to credit cards stored in digital wallets like Apple Pay, the amount of access a cybercriminal can gain is staggering. It shows just how thoroughly our lives are tied to our phone numbers.

Recently, hackers aligned with the Chinese government managed to gain access to US phones via their telecommunication networks in a massive hack dubbed Salt Typhoon, which the federal government says is among the worst in the nation's history. While the exact origins and overall impact of Salt Typhoon are still being investigated, experts say that the two-year infiltration could have affected millions of Americans. In the wake of the attack, which was first reported in October, the feds are advising people to stop using SMS-based authentication.

Unlike our fingerprints or faces, our phone number is not a permanent feature of our identity. It's just a sequence of digits randomly assigned to us by a cell provider when we sign up. If we stop paying, switch mobile providers, or move to a new country, the number is no longer ours. Even an email address — in my case, a 20-year-old Gmail account that I'm certain will continue receiving marketing promotions long after I'm dead — would make a more reliable long-term indicator of who I am than my phone number. After all, my email address will never be reassigned. It's mine. My phone number — along with the roughly 35 million numbers that get reassigned each year, according to the Federal Communications Commission — is another story.

Few companies seem to recognize the problem: In early 2023, X decided to end support for SMS-based two-factor authentication for nonverified users, citing its weakness. Following major breaches, tech giants like Google and Microsoft have also begun to make moves away from SMS authentication. Still, X stands alone among major social media platforms in abandoning it altogether — a fact that I had to learn the hard way.

In most cases, regaining access to my accounts was simple. My bank, for instance, just required a quick phone call to a customer service agent to confirm my identity, bypass MFA, update my phone number, and reset my password.

Instagram, an operation notably larger and more resourced than the small credit union I bank with, did not offer a customer service hotline. Instead, after about half a dozen clicks from Instagram's login screen, I found my way into the depths of a customer service FAQ page that suggested I send a video selfie. I had to send several videos into the automated void before the app caved and let me back into my account.

My Amazon account, which includes services like Audible, Alexa, and Whole Foods shopping, proved a surprisingly impenetrable fortress. After clicking my way through a labyrinth of links, I eventually reached a prompt that asked me to upload a photo of my passport to verify my identity. After not hearing anything for a week, I tried again. A few months later, Amazon let me back in. (Instagram and Amazon did not respond to multiple requests for comment.)

Thanks to the ongoing AI-ification of customer service and the growing use of chatbots, the privilege of speaking with a real person is increasingly rare. To this day, I'm unable to verify my LinkedIn profile. Even after asking for my current phone number, the identity-verification platform used by LinkedIn, Clear, continues to text a six-digit code to my old phone number, which it somehow summons from the cloud. Of course, there's no one to speak with to resolve the issue. Oh well.

Getting locked out of social networks and online shops is extremely annoying. But it's nothing compared to the nightmare I suffered through when I tried to sign up for unemployment benefits after getting laid off from my journalism job.

The state government of Pennsylvania uses the aptly named ID.me service to handle its website login and identity verification for services like unemployment. On its website, ID.me boasts integrations with 19 federal agencies, 35 healthcare-related organizations, and more than 600 online stores in its mission to empower consumers with "a single log-in that lets you easily prove you're you." There's just one problem: ID.me ties your digital identity to your phone number.

When I tried logging in to the Pennsylvania unemployment site to claim my benefits, I discovered I already had an ID.me account — presumably from some other government site I had previously accessed. That account, of course, was linked to my old phone number.

Without access to that number — and having no clue what my password might have been — my only option was to submit a request to bypass MFA and regain access to my ID.me account through the company's customer service help desk.

After I got an automated confirmation email from Roy, the self-described "virtual agent" at ID.me, my request went ignored for 48 hours. After multiple follow-ups and a great deal of patience, I was finally able to set up a phone screening with a real human. Ten days after my initial request, I was on the phone with a customer service agent who emailed me some instructions: Fill out a few forms and send them back along with digital scans of my passport and Social Security card. Normally, sending such sensitive information over email would give me pause, but in this case, the ID.me customer service agent was holding my identity and my financial security hostage, so I was inclined to do whatever he asked. I could only hope that ID.me's cybersecurity practices were more robust than its customer service operation.

After 30 days of submitting and resubmitting various identifying documents, I was finally able to log in to my account. By then, I had taken care of my unemployment needs the old-fashioned way: filing my application manually over the phone — a process that took nearly three hours over the course of two excruciatingly tedious phone calls. (ID.me did not respond to a request for comment.)

Technology that used to promise to simplify our lives now seems to make everything more complicated. Before automated self-checkouts entered the grocery store, the checkout process was never interrupted by a confused machine thinking you forgot to scan an item, forcing you to wait for a human to help. For all the innovative "smart" technology that has wormed its way into modern cars, it often feels like we're one software glitch away from getting locked out of them, too.

It's 2025 — we have artificial intelligence that's capable of forming romantic relationships. I should be able to unlock my laptop with my thumbprint or scan my face to quickly access my online shopping accounts. If our tech is this advanced, why is it still so hard to convince the machines it's actually us?

You don't have to take my word for it. You can ask Keith, the person who had my new phone number before me. I have no idea who Keith is, but I know he, too, is having trouble getting back into his websites and apps because I keep getting texts containing six-digit verification codes that I never asked for. While I eventually got back into most of my accounts, it seems that Keith is still struggling.

Keith, if you're out there: Your prescription is ready to pick up at Rite Aid.

John Paul Titlow is a freelance journalist who writes about technology, digital culture, travel, and mental health.