Session ID vs phone numbers

June 07, 2022 / Alex LintonPrivacy, Technical

This article will cover some technical concepts — but we will do our best to explain them simply

The Session ID is one of the most important parts of Session. Those 66 characters are a whole new digital identity — an identity that is native to the digital, cyber-enabled world we live in. Compared to a phone number, the simple and effective Session ID offers huge advantages.

Why is the Session ID so critical to the way Session works? Well, we use them because they solve a lot of the problems that phone numbers have; Session IDs are instant, secure, portable, and anonymous — making them the perfect companion to a private messaging app like Session.

A Session ID is born: How Session IDs are created

All Session IDs start their lives as just a simple random 128-bit string of data. There are lots of ways to produce randomness; either 'true random' which normally relies on hardware like video or audio inputs; or 'pseudo-random', which relies on a 'seed' (some static piece of information, like the word 'hello') which is then algorithmically processed into something which appears random. Operating systems have their own secure sources of randomness — which is what we use to get our random string of data.

That random piece of data is the 'seed' which we can plug into an algorithm and generate a new (and similarly random) private key. Behind the scenes, your private key is the secret code you use to encrypt and decrypt messages, but it’s also used to generate your Session ID. Much like our random string was the ‘seed’ for our private key, the private key will now be the ‘seed’ for our Session ID. 

What happens behind the scenes when you generate a new Session ID

Note: The private key is also used to generate your recovery phrase, which is used to gain access to your account.

Session ID: Instant

So all that’s needed to create a Session ID is...some random bit of data. You don't have to get permission from anyone, access a central database, sign a form, confirm your identity — and you never will. It's all in the protocol. 

In human terms, your Session ID is created instantly. Importantly, if something happens to compromise your Session ID—like your real identity being linked—you can instantly create a new one to avoid issues with harassment and lack of digital safety which stem from de-anonymisation. 

In comparison, phone numbers are becoming increasingly difficult to acquire — so most people just keep the same number for years. This immobility means your phone number is almost definitely linked to your real identity, living in a bunch of databases all over the world — and things like SMS scams, spam calls, and social graphing are running rampant. 

Session ID: Secure

Session IDs are pretty long — there's no way I'll be memorising my entire Session ID any time soon. But that length achieves something important — it makes it unlikely (like, virtually impossible) that anyone else is going to accidentally (or deliberately) end up with the same Session ID as you. If someone had a billion computers, which could each create a billion Session IDs per second, and they ran them for a billion years, they would still have less than a one in a billion chance of finding the same private key and Session ID as yours.

This is important because otherwise, when messages are addressed to your Session ID — they could end up in someone else's inbox, which would be the worst possible disaster for privacy and security.

It is impossible for this to happen accidentally because, well, there are an enormous amount (about 340,282,366,920,938,463,463,374,607,431,768,211,456, or 340 undecillion if you're nasty) of possible Session IDs. It's difficult for someone to try and get the same Session ID deliberately because you’d need to find someone's private key to be able to generate their Session ID — you can't backwards engineer it using the Session ID itself. If you had to choose between the security of a Session ID versus the likelihood of a company—like Facebook or WhatsApp—preventing a data breach, malicious hack, or other unlawful access— I’d definitely pick the Session ID. 

Phone numbers have a tiny number of possible combinations compared to Session IDs. But phone numbers aren't chosen algorithmically, so telecommunication providers can manually check and make sure two people don't end up with the same phone number. On the flip-side, a telecommunication provider can also deliberately swap your phone number with a different device. This is called a SIM-swap attack — and it's often used by malicious attackers so they can abuse SMS-based two-factor authentication (2FA) to gain access to your online accounts (like your bank account, email, or social media). 

Phone numbers also often get recycled — meaning your old phone number (which might still be connected to 2FA) could become compromised. 

Overall — phone numbers aren't very secure, especially compared to Session IDs. 

Session ID: Portable

Remember when we talked about your recovery phrase earlier? Your recovery phrase is a human-readable version of your private key which can be used to restore your account and re-generate your Session ID on a new or additional device. 

Phone fell off a boat? You can restore your account easily using your recovery phrase. 

Worried your device might be seized while you are travelling overseas? You can leave your phone behind and temporarily import your Session account on a different device. 

The best part: this portability doesn't come from cloud storage or central databases — your phone can do everything on-device using public computer code that has been checked and verified by experts all around the world. You can always get your Session ID back — no matter where you are or what you’re doing. 

Phone numbers are also portable — but because you're relying on someone else (a telecommunications provider) to swap it for you, it enables the SIM-swapping attacks we discussed earlier. 

Session IDs make it so you don’t have to trust big corporations or companies not to mishandle your data or accidentally compromise your security.

Session ID: Anonymous

Because Session IDs don't require you to provide any personal information, and can be quickly and easily created — you always have the option of keeping your Session ID completely removed from your real-life identity. 

Combined with Session's decentralised infrastructure and onion-routing protocol protecting user metadata — it's very hard to link someone's identity to their Session ID (unless you do it deliberately).

We have discussed the ideas of identity and anonymity at length in the past — and we have gone to great lengths to make Session a safe place for people to exist and communicate in the digital world. Without the Session ID, this simply wouldn't be possible. 

Try Session now!

Session IDs are a seriously pivotal feature. For some people, that 66-character ID might seem scary — but Session IDs are actually simpler and more secure than phone numbers. Just like any new technology, it’s mostly just about getting used to it. Although it might seem like a relatively minor part of Session, it's actually one of the coolest and most important parts of the entire design of our app.

As the world moves on from legacy technology like phone numbers, it's important to consider how we might replace the hole left behind by ditching those digits. As far as we can tell, Session IDs are a great start — although we're always looking at new ways to improve. The advantages of Session IDs are huge. So what are you waiting for? Dump your phone number and get yourself a Session ID. 

Want to send me a message? Message Alex on Session: 05a99541db92f4318899aec86e85f5aa66e1e406e8f71b175196f57205d7bcad33

Join the movement to keep the internet private!

Chat with like-minded individuals in the Session Community.

Friends don’t let friends use compromised messengers.

Sign up to the mailing list and start taking action!