Is it bad practice to exclusively use phone numbers for both the sign-up and login process?
I am creating an app. Users need to both login and sign-up. I want to simplify the form for this process as much as possible. This got me thinking. Instead of doing the traditional email, confirm email, password, and confirm password setup for sign-up, I just want to use the user's phone with a sms text verification process. If the users account does not exist, I would create a new one after the sms verification is completed.
In a similar fashion for login instead of email and password, I would just use the same phone number with sms verification. If the user exists in the db then I would verify the phone number via sms text and allow the user to continue.
I have never seen this done. I was wondering is this bad practice from a security perspective? My immediate thoughts are no this is not bad practice, but only if I verify the phone number every time via text.
I have heard of passwordless login with email where a link is sent via email to the user for login with no password. This is very similar to the process I am recommending. Are their any case specific concerns I should have with phone via sms or Whatsapp?
The most important info on my app is credit card info, and I won't be storing it in our DB's, but if a malicious attacker gets in they can charge the user unexpectedly. To reiterate this is only if they take control of the phone's sms/Whatsapp text capabilities.
Do I need to be concerned with a lost phone scenario? Last I checked the process for lost sims is very secure from a carrier's perspective. If the carriers process is insecure I know I am screwed, but I feel like that is equivalent to a bank robing its own depositors type of scenario. At that point the world is screwed anyway because 2fa would be exploited.
I am only going through this process because I am paranoid with user data. I want to limit the amount of user data that I have to just phone-number and sometimes cards, but if I can get away with it no credit cards as well.
