Why do web services keep asking me about my phone number?

EDIT: As this is still the accepted answer, I've made a number of changes to the below text to clarify that, while the "why" is still "probably for multi-factor authentication", this method is not trustworthy.


A phone number enables an easy way to set up two-factor authentication for things like password resets or other sensitive actions. By calling you or sending a text message, the service can confirm that [access to] the phone [number] is a thing you have. An email account is really just a thing you know, the same as a password, because you can access it without anything other than a password (and the identifier - in this case, the address itself - but identifiers are generally considered public). Thus, a two-factor password reset flow might go something like this:

  1. Click on "Forgot my password" at login.
  2. Enter your email address, and the site sends you a password reset link.
  3. Open the password reset link (which contains a secret token), thus proving that the password to your email account is something you know.
  4. Service sends you a text message with a short secret code in it (possibly after making you confirm your phone number).
  5. You enter the code from the message, thus proving that your phone is a thing you have.
  6. Two-factor authentication being completed, you can now set a new password, log into the site, etc.

The advantage to the service provider is that they are now much less likely to have to spend customer service time and possible customer goodwill walking the line between "I can't remember my password" and "somebody hacked my account". That kind of thing can be a significant cost sink, and if the site contains anything sensitive then it may lead to reputational harm to the site if they aren't paranoid enough.

Unfortunately, hijacking mobile numbers is not that hard to do. Even leaving aside technical attacks (faked cell towers or spoofing the phone or passively sniffing the radio traffic to catch the SMS that gets sent), phone companies have demonstrated that they are not trustworthy when it comes to authenticating people correctly before issuing them a new SIM with your number. As such, SMS or call-based second factors should be considered a weak additional protection, and should definitely not be trusted for single-factor authentication.

As for what the provider can do with a number, well, worst case would probably be to give or sell it to robocallers, the telephone equivalent of spam. Calling a mobile number in such a manner is actually illegal in the USA (since we're about the only place in the world that the recipient pays for incoming calls, either via prepaid credit or minutes of usage, so commercial messages without an existing business relationship are forbidden) but they happen anyhow. Realistically, though, any but the sketchiest of sites is unlikely to do anything like this (feel free to check their privacy policy, though of course there's no guarantee it's not a lie).

Second-worst thing would be to use it to send you unsolicited calls or messages, but I don't think I've ever seen this happen (do check for a "use your contact information for marketing or promotions..." option and make sure it's not selected).

In theory, the phone number might be useful to identify you personally (through a directory service / social network / phone book / whatever) and it's a lot easier to create throw-away email addresses than throw-away phone numbers. It's unlikely, though. If you're the kind of person who uses a fake name and a single-use email address when signing up for something, then putting your real phone number in there is obviously a risk. Otherwise, it's probably pretty harmless.


Because it's the easiest way to obtain the second factor (something you have) in two-factor authentication. How this works was explained pretty well in CBHacking's answer. However...

Using your phone for two-factor auth is a BAD IDEA

The problem with phones is that it's surprisingly easy for hackers to social engineer their way through a telecom's customer service department and port your number to theirs, then use the phone to reset the account password.

It doesn't matter how computer-savvy you are. People in the cryptocurrency space have been hacked this way:

In the past month, there’ve been at least 10 cases of people publicly involved in the cryptocurrency scene being victimized by mobile phone hijacking. The consequences have been expensive, embarrassing, enduring, and, in at least one case, life-threatening.

The US Federal Trade Commission has put up an advisory regarding The Growing Problem of Phone Account Hijacking. More layman's coverage of phone number hijacking was recently in Forbes, for example.

Whenever possible, do not give your phone number, and choose Google Authenticator as a 2FA method. For more details, see this excellent guide by cryptocurrency exchange Kraken, or how to secure your online accounts.


I have a hypothesis that it is an identifier (non-social security number) that companies will sell to each other to track everything you do. So far I have been asked by: Vanguard, Fidelity, Bank of America, eBay, Amazon, Netflix, Yahoo, Google, LinkedIn. I think there are more, but I forget. It may be centralized because they all ask in the same manner, with the "not right now" option (never a "no, leave me alone and never ask again" option). The psychotic side of me says it is run by the NSA as an easy way to track you and everything you do (imagine, a single number code that represent an online presence and everything you do! Heaven for government snoops). The rational side of me says it is run by advertisers. Do I think it is for security? Nope. If it is for security then hypothetically you can give a different number to each company (why must it be a real phone number that they can call anyhow? Or can several people use the same shared number? Or can you set up several Skype-in numbers?). I am a naturally suspicious person and my alarm bells are going crazy these past few months. Something is not right at all.