Think of it as Yoga for the brain, we are going to stretch a bit.
Why 2FA is a Scam
“If you’re not paying for the product, you are the product being sold.” — Andrew Lewis, 2010
Is 2FA a Scam?
If something makes you feel safer while quietly making you easier to identify, easier to track, and easier to profile… what exactly did you just buy?
Let’s talk about 2FA — two-factor authentication, the little pop-up that asks for your phone number, sends you a text, and pats you on the head like a well-trained guard dog. Most people see that code arrive and think, “Ah yes, security.”
What they actually received was a leash.
The comforting lie
Here’s the uncomfortable truth: a large number of platforms don’t use SMS-based 2FA primarily to protect you. They use it to identify you.
Security is optional.
Identity is the real prize.
If the goal were pure security, there are better tools:
hardware security keys
passkeys
authenticator apps
device-based cryptographic challenges
Those exist. Many companies support them.
So when a platform insists on a mobile phone number, that’s your first clue this isn’t about protection — it’s about KYC: Know Your Customer.
That’s not always evil.
But it is always invasive.
Why phone numbers are radioactive
A phone number is not just a number. It’s a universal tracking handle.
Once attached to your identity, it becomes:
linkable across platforms
searchable in breached databases
crowd-verified via your friends’ contact lists
correlatable with location, habits, and metadata
Your friends upload their contacts.
Their apps upload them daily.
Suddenly platforms know who you are even if you never told them.
That’s how someone you met once becomes a “suggested friend.”
That’s how online friction turns into real-world risk.
That’s how pseudonymity quietly dies.
Pseudonymity: the thing you didn’t know you lost
Pseudonymity is the ability to exist online without collapsing your digital life into your real-world identity.
It’s the buffer that prevents:
doxing
stalking
targeted manipulation
profile-based censorship
algorithmic labeling you never consented to
Once a phone number enters the picture, that buffer is gone. Permanently.
And it doesn’t stop with tech companies.
Phone numbers leak through:
credit bureaus
utilities
banks
carriers
hacked datasets that never really disappear
If a platform wants to know who you are, the phone number makes it easy.
Not all 2FA is equal
Some institutions already must know who you are:
banks
governments
tax authorities
healthcare systems
That’s unavoidable. You can’t hide from your own Social Security number, nor should you try.
But social platforms, marketplaces, forums, and apps?
That’s where you get to draw the line.
When a site demands a phone number and refuses alternatives, ask yourself:
Why does this business need my real-world identity?
If the answer isn’t convincing, the safest move may be to leave.
The strategy: isolation, not paranoia
The solution isn’t fear — it’s segmentation.
Different numbers for different purposes:
One number for institutions that legitimately require identity
One number for friends and family
One number (or none) for platforms that don’t deserve either
Mixing those worlds is how identities bleed.
The number you give to friends and family should be the most protected of all — because they unintentionally leak it for you.
The quiet power move
The biggest privacy mistake people make isn’t oversharing.
It’s using one identity everywhere and calling it convenience.
2FA didn’t become popular because it protects you.
It became popular because it scales identity cheaply.
Security that requires you to surrender your anonymity isn’t security.
It’s compliance with better branding.
And the real trick?
Once you see it, that little SMS code doesn’t feel so comforting anymore.
Reflection
The modern world doesn’t steal privacy with force.
It rents it back to you one “safety feature” at a time — and hopes you never read the fine print.
The modern surveillance economy doesn’t kick down your door. It hands you a keypad, asks for your number, and calls it protection.
The smartest move isn’t hiding from everything — it’s knowing exactly who deserves to know who you are.
Most don’t.
Who Are the Worst Offenders — and Why Do They Keep Getting Away With It?
If every platform says “we respect your privacy” while quietly vacuuming up your identity, the only useful question left is: who does the most damage, at the largest scale, with the least consent?
Here’s the blunt ranking — from actively dangerous to merely unavoidably intrusive — and the reason each one earns its spot.
Tier 1: The Identity Harvesters (Worst of the Worst)
Meta (Facebook, Instagram, WhatsApp)
Why they’re the worst:
Meta doesn’t just collect data — it builds shadow identities.
Even if you never give them your phone number:
your friends upload it
their apps re-upload it daily
Meta crowd-verifies your identity across contact lists
Your phone number becomes:
a graph node
a behavioral anchor
a real-name binding mechanism
They aggressively resist anonymity, punish pseudonyms, and tie everything back to real-world identity. Their business model requires knowing exactly who you are.
If there were a museum of privacy violations, Meta would be the gift shop.
Google
Why they’re almost as bad:
Google doesn’t need your phone number — but they really want it.
They already have:
your email
your searches
your location
your device fingerprint
your payment data
The phone number simply collapses the final wall between behavior and identity.
Google’s danger isn’t loud. It’s quiet, systemic, and permanent. Once profiled, you’re not just tracked — you’re classified.
Tier 2: The High-Velocity Profilers
TikTok
Why it’s dangerous:
TikTok is extraordinarily aggressive about:
contact list access
device identifiers
behavioral modeling
It excels at relationship mapping — who knows whom, who influences whom, who drifts where.
Whether you worry more about advertisers or governments, TikTok gives everyone excellent raw material.
LinkedIn
Why it’s sneakier than it looks:
LinkedIn feels professional, but it:
pressures real names
pushes contact uploads
maps professional and social graphs
It’s a career database masquerading as networking.
Your résumé plus your phone number equals long-term leverage.
Tier 3: Identity Brokers Disguised as Services
Coinbase
Why it’s risky:
Coinbase is legally required to know who you are — fair enough.
The problem is data gravity:
government IDs
biometric verification
phone numbers
transaction history
That’s a single breach away from complete exposure.
They’re not malicious — they’re just a very attractive target.
ID.me
Why it’s unavoidable but dangerous:
ID.me exists solely to verify identity for governments.
That makes it:
legitimate
centralized
terrifying if compromised
You don’t “opt in” so much as comply. Minimize usage. Assume permanence.
Tier 4: The Quiet Enablers
Banks & Credit Card Companies
Why they matter:
They leak phone numbers into:
credit bureaus
data brokers
verification networks
You can’t avoid them — but you can isolate them.
Credit Bureaus (Equifax, TransUnion, etc.)
Why they’re dangerous:
They never asked for your consent.
They lose your data regularly.
They sell correlation as a service.
If the internet were a crime scene, credit bureaus would be the unlocked back door.
Tier 5: The “Why Do You Need This?” Platforms
Discord, Uber, Lyft, Craigslist
Why they’re suspicious:
They reject VoIP numbers.
They insist on mobile numbers.
They claim “safety.”
Translation: identity assurance.
Some of these make sense if they employ you.
Most don’t justify knowing who you are.
The Pattern That Tells the Truth
Here’s the rule that never fails:
If a platform insists on a phone number and rejects all alternatives, it is prioritizing identification over security.
Security can be solved without identity.
Tracking cannot.
