Just because it seems odd:
The phone company shut down the service I was using and then kindly invalidated my sim card too, which doesn’t seem very customer-friendly, and meant I had to get a new number and a new card (with another phone company…). And since I use 2FA in quite a lot of places, I’m looking forward to all the issues that will pop up trying to change the number.
Anyway, I had the old number connected to my Steam account. They’ve barely ever used it in the, quite a few, years it’s been there, but I was anticipating a good lot of back and forth with Steam support. Once I even figured out how to contact them, that is; the support page just seems to send you in circles.
I eventually just tried to click the “Remove my number” button, and after a few automated emails with codes, I had changed the number. Aside from an SMS to the new number to verify it, it only involved emails.
So, is it just me or does this not seem terribly secure? Basically, if you have access to someone’s mail account, you can remove their phone number, change it to your own, and then you can presumably change their email address to your own later on too.
I know they use the Google Authenticator thing, but I did think a phone number would have some value for security too.