Coffeehouse Thread

37 posts

Dont give Microsoft your phone number

Back to Forum: Coffeehouse
  • blowdart

    , Ray7 wrote

    But why do they need a phone number for that? Isn't an alternative email address good enough?

    In my view? (And I emphasis MY view) No. People carry their phones. It's a central point. Email addresses are too easily hijacked, read in multiple places and so on. Of course I'd prefer a secure ID myself, or a yubi key (maybe google authenticator at a push, but that's just a soft token, so do it properly with a soft SecureID then), but SMS is ubiquitous. My bank does it, Paypal does it, I have all MS billing transactions set up to do it.

     

  • evildictait​or

    , GoddersUK wrote

    @evildictaitor: Which is pretty stupid really given that you could just use an unregistered PAYG sim... Except that makes you a terrorist Perplexed

    It ups the barrier, and that's what matters. Microsoft doesn't need to prevent bad people from mis-using Azure, they just need to take reasonable action to prevent it from happening.

  • Ray7

    @blowdart:I see.

    Then I guess one possible solution (if you don't want to hand out your phone number) is to get a YAC number and use that.

  • ScottWelker

    , warren wrote

    ...they've only ever called me for renewing my MSDN or TechNet subscription

    *shrug*

    Same here but I don't want to be called. Phone calls are interrupts. Send me an email and I'll get to it on my time. Just a personal preference. Only a select few get to interrupt me... like my wife Wink

    I will NOT give you my phone number. It's personal and none of your business.

    ( Edit: Ok, I'll sometimes give it out but very very selectively. )

  • ScottWelker

    , blowdart wrote

    *snip*

    If you want to check how your profile is configured, you can do so here

    Thanks! Some of my info was very dated. Nice and clean now Smiley

  • Craig_​Matthews

    Being able to read my email in multiple places makes my email address less capable of being a good contact point? You're right in that I always carry my phone. It receives my email.

  • blowdart

    , Craig_​Matthews wrote

    Being able to read my email in multiple places makes my email address less capable of being a good contact point? You're right in that I always carry my phone. It receives my email.

    Yes. You can only get SMSs from a single device. It's "something you have", not something you could have left logged in at an Internet cafe, or had the password sniffed when connecting via WIFI at Starbucks.

    It's not used as a contact point. We don't ring you up for a chat.

  • swheaties

    I feel like I've had my say on this thread. Please indulge me one more post:

    Firstly I'm not a MS hater that is just finding fault.  I like what I know about Azure. When I went to sign up I had my wallet on my desk I was ready to fork over some bucks.  I am a MS developer. I want to learn Azure.  I want to use it. 

    The flatulence about two factor auth is a red herring and not the subject of this thread.  A phone is not any more of a security device than a laptop or a desktop or a wristwatch or an abacus.   BTW please note that MS can, and does, obtain hardware ID's and various software ID's from computers and phones.  This is only one of dozens of reasons why MS does not need to REQUIRE your phone number.

    Again - MS does not need to require you to give them your phone number. And, furthermore, if you choose to give it to them you should be protected by TOS which gives you ironclad protection against misuse or third party disclosure.  Its not rocket science guys.

    Several have mentioned that MS has been good about not spamming.  Generally, I agree.  However: Don't expect that in the future.  I got so much spam for windows store that I had to take time to "opt out".  Do you think I ever "opted in?"  Seriously?  Did I unsubscribe from every affiliate that bought my info? Probably not. 

    You don't know what you don't know.  Remember that MS has the "affiliate" clause which means they can sell your info to whoever wants to buy it.  So you may have been spammed by an affiliate and not known they got your info from MS.

    Finally, if your phone is like mine you dont have a junk box for spam sms messages. And if the big players get their way, you never will.  Your phone is going to become a toilet for spammers and it is going to become as useless as that hotmail account you never use anymore........because you get so much spam that its impossible to use. 

    Its not going to happen overnight.  It begins with small baby steps, just like what you see with Azure. 

    Next, you will need to give MS your phone number to use msdn.

    Then windows support forums.

    Then windows update. 

    Next you will see messages on your phone to the effect "The icon for notepad has been updated!!!!" 

    Later you will see "The icon for notepad has been updated!!!  Refinance your mortgage now...yada"

    I mention MS in this post, but Google is equally guilty of intrusion, if not more so. Everything I've said applies to them also. 

    THINK PEOPLE!!!!!

  • wkempf

    , swheaties wrote

    The flatulence about two factor auth is a red herring and not the subject of this thread.  A phone is not any more of a security device than a laptop or a desktop or a wristwatch or an abacus.   BTW please note that MS can, and does, obtain hardware ID's and various software ID's from computers and phones.  This is only one of dozens of reasons why MS does not need to REQUIRE your phone number.

    It was explained, fairly nicely, how SMS is better here. If you don't agree you have to address that, not just say that two factor auth is a red herring. BTW, hardware ID's and other such metadata aren't going to make for "good" solutions to the "something you have" argument about e-mail. Actually, it won't make for any kind of solution here.

    , swheaties wrote

    Again - MS does not need to require you to give them your phone number. And, furthermore, if you choose to give it to them you should be protected by TOS which gives you ironclad protection against misuse or third party disclosure.  Its not rocket science guys.

    It was already pointed out that the TOS does give you ironclad protection here. Like you say, it's not rocket science.

    Honestly, very few things for which I get billed don't require both an address and a phone number, so I don't get the concern here. If a free service required my phone number I'd have to consider, but Azure isn't that. BTW, I have been asked for my phone number when purchasing something in a store on more than one occasion, so that little analogy you made earlier is more real than you seem to realize.

  • evildictait​or

    , swheaties wrote

    The flatulence about two factor auth is a red herring and not the subject of this thread.  A phone is not any more of a security device than a laptop or a desktop or a wristwatch or an abacus.   BTW please note that MS can, and does, obtain hardware ID's and various software ID's from computers and phones.  This is only one of dozens of reasons why MS does not need to REQUIRE your phone number.

    In azure's case it's not about two-factor auth. It's about making it harder to pay for Azure accounts using stolen credit cards.

  • swheaties

    @wkempf: 

    This is from the TOS link posted earlier in this thread:

    • Additionally, with your permission, we may contact you via phone or email to provide you with promotional offers regarding Microsoft Online Services. You may change your contact preferences in the account management portal.

     

    >>>BTW, I have been asked for my phone number when purchasing something in a store on more than one occasion, so that little analogy you made earlier is more real than you seem to realize

    Indeed.  Would you continue to shop at that store if they required your phone number?  Interesting story:  There is a grocery store chain here in So. CA (Albertsons) that was doing very well until a few years ago when they switched to a pricing model that required customers to swipe a store ID card in order to receive discounts.  I immediately stopped buying there.  They recently closed about half their stores.  Now, I am not 100% certain the ID cards where the only contributor to their downfall, or even a primary contributor.  But their stores got really empty really fast right after they started doing that. 

     

  • blowdart

    , evildictait​or wrote

    *snip*

    In azure's case it's not about two-factor auth. It's about making it harder to pay for Azure accounts using stolen credit cards.

    An aside: would you like two-factor auth on the azure portal?

  • wkempf

    , swheaties wrote

    @wkempf: 

    This is from the TOS link posted earlier in this thread:

    • Additionally, with your permission, we may contact you via phone or email to provide you with promotional offers regarding Microsoft Online Services. You may change your contact preferences in the account management portal.

    First, what I quoted was a rant about selling this information to third parties, and you conveniently left out the part where that's explicitly called out as something they won't do. Second, "misuse" is something you've not defined, but what ever it is, you have the option, spelled out in the TOS, to prevent whatever it is. So, no matter how much you dislike things here, you're rant about the TOS is simply wrong. The TOS "gives you ironclad protection against misuse or third party disclosure".

    , swheaties wrote

    @wkempf: 

    Indeed.  Would you continue to shop at that store if they required your phone number?  Interesting story:  There is a grocery store chain here in So. CA (Albertsons) that was doing very well until a few years ago when they switched to a pricing model that required customers to swipe a store ID card in order to receive discounts.  I immediately stopped buying there.  They recently closed about half their stores.  Now, I am not 100% certain the ID cards where the only contributor to their downfall, or even a primary contributor.  But their stores got really empty really fast right after they started doing that. 

    I did, and I do. BTW, Albertson's is alive and kicking in my area. Further, most grocery stores here have the same "member card" savings policies. None of them are hurting for customers. By all means, if you don't like the terms, vote with your wallet. However, you're going to find yourself in a minority on this subject.

  • wkempf

    @blowdart: I'd like two factor auth as an option (emphasis there) EVERYWHERE. Simple password based authentication is becoming less secure every day. SMS based two factor auth would probably be too difficult to use with the Azure portal, though.

  • swheaties

    @wkempf

    >>It was explained, fairly nicely, how SMS is better here. If you don't agree you have to address that, not just say that two factor auth is a red herring.

    Fair enough.  The false dilemma is more easily seen if the argument is stated like this:


    "We cannot guarantee the safety of your data unless you give us your phone number"

     

    "We cannot be certain of your identity unless you give us your phone number"

     

    Are either of those statements true?  Of course not!!  I'm not making an argument against security.  Hooray for security already.  I'm just saying that your phone number is not a requirement for your data to be secure or your identity to be confirmed.

  • wkempf

    @swheaties: I've seen no one (especially not Microsoft) make either claim. What has been claimed is that two factor authentication is more secure than single factor authentication (this does not imply either of your statements), and that SMS based two factor auth is more secure than e-mail based.

    At this point, there's not much more to be said to you. You don't like giving out your phone number. Fair enough. Don't. Don't expect anyone else to have the same issue here that you do. More importantly, don't make claims that are simply false while trying to convince other's to agree with you.

  • swheaties

    LOL if that kind of flailing is the best you can come up with, wkempf, than I think I have sufficiently made my point. 

    Angel

  • wkempf

    Flailing? Uh... somehow I think the point just flew over your head.

Comments closed

Comments have been closed since this content was published more than 30 days ago, but if you'd like to continue the conversation, please create a new thread in our Forums, or Contact Us and let us know.