How to get text messages for two-factor authentication without a phone number
Systems that offer a second step to log into an account often require a phone number to receive texts or voice calls. What if you have none?
It’s easy to forget that everyone else isn’t like you, even when you make an effort to be inclusive of others when you find yourself in the majority. That’s true for so many things, and “ableism” is among them. As someone with good vision, hearing, and mobility, I overlook elements of technology that are daily annoyances for people with certain disabilities.
I was caught up short reading Frank Lowney’s comment on my rundown of Apple’s updated login security enhancement, now labeled two-factor authentication.
I am hearing impaired. Consequently, I don’t have a phone because a phone would be an unnecessary, even useless, expense. Thus, I am consigned to a lower level of security. I do have an iPod touch and an iPad in addition to desk/laptop Macs. So why doesn’t Apple afford the hearing impaired with two-factor authentication?
It took me a few read-throughs to get what he meant, before I slapped myself on the forehead. Apple doesn’t require a phone to use two-factor authentication: you can approve all requests from a Mac or iOS device. But it does require you to receive a text message or automated voice call to set it up in the first place, and as a fail-safe backup in case your trusted devices are inaccessible, lost, stolen, or destroyed.
You may never need to use a phone after setup, but without one, you could lose access to your Apple ID forever—and to similar resources at other sites and from other companies—if a terrible set of circumstances occurs in which you forget or no longer can find a password and all your devices are unavailable. Think natural disaster or house fire, not just theft.
Fortunately, there’s a way around this that’s a workable solution for many different scenarios, including Frank’s. Get a textable number that isn’t tied to a phone.
Phone as a token
As discussed in this column many times before, a password isn’t a great way to protect accounts that can logged into from anywhere in the world. Sites are hacked all the time, and no amount of account security protects against someone worming into the innards of a site to grab data directly.
But many times, passwords are stolen—and often lightly encrypted and easy to crack or stored in the clear. With an account’s email address and password, crackers can often access information not just at the site that was broken into it, but at other popular sites, as people tend to pick poor passwords and re-use them.
A second factor breaks the ability to take advantage of “wholesale” password cracking that works remotely. Security factors are usually labeled as something you know (like a password), something you have (a hardware token or phone), and something you are—biometric details like a fingerprint. While a password can be known by anyone, another factor typically requires that an attacker have physical access to you or your stuff. Someone who has just your password can’t do squat in most cases.
Apple, Google, Dropbox, Facebook, Twitter, and many other companies offer a variety of two-factor systems, which employ text messages, authentication apps, their own software, and operating system integration.
That’s why it’s odd that, for all that, the root of many two-factor systems still relies on phone numbers, which can be intercepted and switched to other devices. The main method to receive a code is often via text message; sometimes it’s a last-ditch fallback when all else fails. But you typically have to enable two-factor authentication with a text message, with an increasingly available option to receive an automated voice call reading the numbers aloud.
As Frank notes, he doesn’t have a phone. And being hearing impaired, spoken-aloud numbers aren’t of much use to him. And there are people without hearing impairment who choose to not have a phone that receives text messages (remember landlines?) or opt out of having a cell phone or any phone at all. Others certainly don’t want tech companies—large or small—to have a number they use for incoming phone calls or personal use. There are alternatives, but they require a little attention.
Several services offer U.S.-based, legitimate telephone numbers that can receive text messages. Many are entirely free for sending and receiving because they use an ad-supported or freemium model or both.
I tested TextNow, which sells phones with wireless plans as well as offers apps for many, many platforms, including iOS and Mac OS X. It’s extremely simple to set up, and in its free flavor it appends a reference to its service and a link to outgoing messages.
And, just to be clear, you don’t need a phone number to set it up, just an email address. The downside of the service is that it releases phone numbers rapidly: If at least one text message isn’t sent each day, after a few days you’ll get a warning that the phone number will be put back into its pool, and then it’s removed.
I also tried Textfree, which is similarly free and attaches tiny attribution ads. The sign-up process requires either a phone number to complete, or a Facebook or Google account authorization. Textfree keeps a number assigned to you for 30 days before releasing it.
I looked for any service that would let you pay to keep a number permanently, but all of those that I could find required another phone line to manage verification, such as Twilio, which is otherwise a perfect option.
Google Voice is a great free option for a lot of phone-style purposes, but you can’t use the service without having at least one phone line. After you set up the phone line you can use text messaging through its web interface at no cost, however, and it tested out fine to receive codes. And Skype confusingly lets you pay to send text messages, but you can only receive SMS/MMS in reply—you can’t receive texts that are initiated by another party.
Because none of the text options is perfect, you should find at least one person you can trust who has a phone number you can use as a secondary backup in case your text-only number is lost. While other services don’t allow this very easily, Apple lets you set up multiple trusted phone numbers, and you can associate this with your Apple ID and both two-step (older) and two-factor (newer) account protection methods.
Who would have thought it would be so hard to get texts without a phone? People who face this issue regularly—and now we all have some answers.