Session Account ID vs phone numbers
June 08, 2022 / Alex LintonPrivacy, Technical
This article will cover some technical concepts— but will aim to cover them from a high-level perspective.
The Session Account ID is one of the most important parts of Session. Those 66 characters are a whole new digital identity—an identity that is native to the digital, cyber-enabled world we live in. Compared to a phone number, the simple and effective Account ID offers huge advantages.
Why is an Account ID so critical to the way Session works? Well, they solve a lot of the problems that phone numbers have; Session Account IDs are instant, secure, portable, and anonymous—making them the perfect companion to a private messaging app like Session.
What is a Session Account ID?
All Account IDs begin as a simple, random 128-bit string of data. Randomness can be generated in two ways: true random, which uses hardware like video or audio inputs, or pseudo-random, which relies on a seed (like a static word) that’s processed to appear random. Session uses the secure randomness sources provided by your device’s operating system to generate this random data.
That random piece of data is the 'seed' which can be plugged into an algorithm and generate a new (and similarly random) private key. Behind the scenes, your private key is the secret code you use to encrypt and decrypt messages, but it’s also used to generate your Account ID. Much like the random string was the ‘seed’ for our private key, the private key will now be the ‘seed’ for your Account ID.
Note: The private key is also used to generate your recovery password, which is used to gain access to your account.
Session Account ID: Instant
So, all that’s needed to create an anonymous account is some random bit of data. You don't need permission from anyone, nor do you need to access a central database, sign forms, or verify your identity—and you never will. It's all built into the privacy-protecting protocol.
In human terms, your account ID is created instantly. Importantly, if something happens to compromise your account ID—like your real identity being linked—you can instantly create a new one to avoid issues with harassment and lack of digital safety which stem from de-anonymisation.
In comparison, phone numbers are becoming increasingly difficult to acquire. Most people just keep the same number for years. This immobility means your phone number is almost definitely linked to your real identity, living in a bunch of databases all over the world—and things like SMS scams, spam calls, and social graphing are running rampant.
Session Account ID: Secure
Account IDs are pretty long—there's no way I'll be memorising my entire Session ID any time soon. But that length achieves something important: it makes it unlikely (like, virtually impossible) that anyone else is going to accidentally (or deliberately) end up with the same Account ID as you. If someone had a billion computers, which could each create a billion AccountIDs per second, and they ran them for a billion years, they would still have less than a one in a billion chance of finding the same private key and Session ID as yours.
This is important because otherwise, when messages are addressed to your Account ID,they could end up in someone else's inbox, which would be the worst possible disaster for privacy and security.
It is impossible for this to happen accidentally because, there are an enormous amount (about 340,282,366,920,938,463,463,374,607,431,768,211,456, or 340 undecillion if you're nasty) of possible Account IDs. It's difficult for someone to try and get the same Account ID deliberately because you’d need to find someone's private key to be able to generate their Session ID—you can't backwards engineer it using the Account ID itself. If you had to choose between the security of an Account ID versus the likelihood of a company,like Facebook or WhatsApp,preventing a data breach, malicious hack, or other unlawful access,I’d definitely pick theAccount ID.
Phone numbers have a tiny number of possible combinations compared to Account IDs. But phone numbers aren't chosen algorithmically, so telecommunication providers can manually check and make sure two people don't end up with the same phone number. On the flip-side, a telecommunication provider can also deliberately swap your phone number with a different device. This is called a SIM-swap attack,and it's often used by malicious attackers so they can abuse SMS-based two-factor authentication (2FA) to gain access to your online accounts (like your bank account, email, or social media).
Phone numbers also often get recycled, meaning your old phone number (which might still be connected to 2FA) could become compromised.
Overall, phone numbers aren't very secure, especially compared to Account IDs.
Session Account ID: Portable
Remember when we talked about your recovery password earlier? Your recovery password is a human-readable version of your private key which can be used to restore your account and re-generate your Account ID on a new or additional device.
Phone fell off a boat? You can restore your account easily using your recovery phrase.
Worried your device might be seized while you are travelling overseas? You can leave your phone behind and temporarily import your Session account on a different device.
The best part: this portability isn’t from cloud storage or central databases. Your phone handles everything on-device, using public, expert-verified code. You can recover your Session Account ID anywhere, anytime.
Phone numbers are portable too, but rely on telecom providers, making them vulnerable to SIM-swapping attacks. With Account IDs, you don’t need to trust big corporations to safeguard your data or security.
Session Account ID: Anonymous
Because Account IDs don't require you to provide any personal information, and can be quickly and easily created, you always have the option of keeping your Account ID completely removed from your real-life identity.
Combined with Session's decentralised infrastructure and onion-routing protocol protecting user metadata, it's very hard to link someone's identity to their Accountn ID (unless you do it deliberately).
The ideas of identity and anonymity have been explored at length in the past on this blog. Session is designed to create a safe place for people to exist and communicate in the digital world. Without the Account ID, this simply wouldn't be possible.
Try Session now!
Account IDs are a seriously pivotal feature. For some people, that 66-character ID might seem scary, but Account IDs are actually simpler and more secure than phone numbers. Just like any new technology, it’s mostly just about getting used to it. Although it may seem like a small aspect of Session, it’s actually one of the most innovative and important parts of the app’s design, offering enhanced privacy protection and security. As the world moves on from legacy technology like phone numbers, it's important to consider how to replace the hole left behind by ditching those digits. The advantages of Account IDs are huge. So what are you waiting for? Dump your phone number and get yourself an Account ID.
For more updates, insights, and the latest on privacy and security, follow Session on Twitter. Stay informed and join the conversation!
The need for decentralised messaging
August 27, 2024 / Alex Linton
Connecting one million users
August 18, 2024 / Alex Linton
Sign-up in a flash with Session's new onboarding
August 11, 2024 / Alex Linton
Let’s localise: Unifying text strings together
August 06, 2024 / Alex Linton
Disappearing Messages v2: a new way to protect your privacy with Session.
March 12, 2024 / Alex Linton
Upgrading from Oxen Network to Session Network
February 06, 2024 / Alex Linton