> 2) sending a one-time password over SMS, unless you had already validated that the telephone number belonged to your customer
Note that it's pretty hard to validate a phone number belongs to someone. You could ask their telephone company, but their telephone company shouldn't disclose subscriber information, and even if they did, maybe you get a name, but lots of people have the same name as me, so what does that show?
Commonly, people send a text message with a code or a phone call with a code to demonstrate control (not belonging), but that's almost always automated, and you would need the number to be validated before you could validate it.
Rather than texting the consumer a security code and having them enter it in the browser, you could display a security code in the browser and have them text it to your automated system.
But there’s still no way to know if that number later gets released to another person.
AFAIU, caller ID can be faked. Getting an SMS from a phone number does not demonstrate anything. Probably this is why the send factor is received, not sent.
As the sibling comment says, spoofing sender ID or caller ID is relatively easy. You can't trust it, outside of some very narrow cases (although, shaken/stir may change that).
Some carriers do make available lists of recycled numbers, and some telephone information companies aggregate these lists, when I was looking, coverage was sparse though, and questions about reliability and privacy were too big relative to the limited coverage. Sharing of confidential information was an issue too: carriers wanted to provide events only for numbers of interest to a 3rd party service, so the carrier didn't divulge the number of customers leaving their service; the 3rd party service didn't want to provide numbers of interest because it would divulge user count. I may be biased (I was working for a service), but the recycled number list feels less privacy invasive than providing numbers of intetest. The numbering space is small, so you can't meaningfully obscure the numbers, etc. Determining which carrier is responsible for a number is also tricky, of course.
If they prompoted to receive a code during sign-up it would make the system immune to a person accidentally entering the wrong number. Only malicious entry would remain, which I suspect the company would ultimately not be liable for. So I believe it would actually be a better solution if the goal is to prevent robotexting people who didn't consent to it.
So I think you're proposing, enter your number, get a code, send a text to a special number with that code, get a text reply and enter that. Then the service has done their best job of validating the number before they validated it.
Of course, getting a working incoming number for all countries worldwide that doesn't cost users an arm and a leg to message is not exactly easy.
Note that it's pretty hard to validate a phone number belongs to someone. You could ask their telephone company, but their telephone company shouldn't disclose subscriber information, and even if they did, maybe you get a name, but lots of people have the same name as me, so what does that show?
Commonly, people send a text message with a code or a phone call with a code to demonstrate control (not belonging), but that's almost always automated, and you would need the number to be validated before you could validate it.