Traditionally an account is secure when the user gives something publicly available (email) coupled with something only they know (password).<p>With Stripe's Remember Me feature (https://stripe.com/checkout/info) an invisible 'account' is created for you by the unique between the email and phone number. Then when you type in your email the next time, you get texted a code that you can use to auto fill in your payment methods. Why is this considered a secure experience? Can the code be thought of as a one time password? It seems a little crazy that two publicly available pieces of information can be used to authenticate (although admittedly you would have to intercept the text message code).<p>Even worse is Lyft. When you install the app you enter a phone number, verify with a code, and then enter your credit card info -- no password anywhere. What happens if you change phone numbers and it gets recycled? Now a new user installs Lyft and my credit card is already on file! How can this possibly be justified?
> although admittedly you would have to intercept the text message code<p>This is the key. Unless you are the mobile operator or a government entity, your only other options are fake cell phone towers, i.e. stingrays, which are monopolized by government, or incredible circumstantial luck (the user happens to use a virtual phone number for texting, so SMS is going over WiFi, and you have man-in-the-middled the router). I guess you could also root user's phone or gain access to Stripe's/Lyft's infrastructure, but then the question of intercepting a confirmation SMS wouldn't pop up.<p>The next level for either of those services is to support message-less second-factor auth (Authy, Google Authenticator, Microsoft Authenticator).
re Lyft: We detect recycled phone numbers, and we'll challenge you (or "not you") for further identification.<p>Phone recycling has been a much bigger problem for non-fraudulent cases, e.g. you pop-in a new SIM card and naively sign up for Lyft, getting the account of someone else (e.g. a tourist's). Fraudulent takeover of passengers' Lyft accounts hasn't been happening that much — fraudsters have a much easier time stealing credit card numbers than Lyft accounts.
< What happens if you change phone numbers and it gets recycled? Now a new user installs Lyft and my credit card is already on file! How can this possibly be justified?<p>There's an account you may access if you know the username and respective password or if you may access account's primary email.<p>So, just think of the account as your locker in Lyft's building. When someone with your telephone number enters that number and enters back received code, that implies he's the owner of the number.<p>The credit card is still under your account and there could be no relation to the other user's telephone number. The triggered routine would confirm the connection of the user and their telephone and nothing else.