Signal is a good app. We mean that — we say it on our own comparison page, and we said it in the last blog post, and we'll keep saying it as long as it's true. Signal's cryptography is strong, its governance is honest, its intentions are as close to aligned with users as any tech-industry organisation's are ever likely to be. And yet, if you read the 2024 post introducing Signal usernames, you'll find a rare thing for any company: an explicit admission of its top complaint.

"Phone numbers are a persistent criticism from our most ardent advocates."

— Signal, "Keep your phone number private with Signal usernames" (2024)

Signal added usernames as a response — they let you hide your phone number from other users. But the phone number is still required at registration. Signal itself still needs to know your phone number to let you create an account. This has not changed.

We built OpenDescent on a different answer. We don't require a phone number, because we don't have a registration step that would ever need one. This isn't us being clever — it's a consequence of choosing a different architecture. This post explains what that means, why we think phone numbers are the wrong identifier for a messaging app, and how we solve the problem (spam prevention) that phone numbers usually solve.

§ 01What a phone number actually is

In most of the world, a phone number is three things at once:

  1. A way to reach you over the legacy circuit-switched telephony network, which is what it was originally for and what it is increasingly least useful for.
  2. A government-issued identifier, allocated by a national telecoms regulator to a carrier, which the carrier allocates to a person whose identity they have been legally required to verify in most jurisdictions since roughly 2015.
  3. A permanent key into a hundred other systems you didn't know were listening. Your bank's two-factor setup. Your tax authority's notification service. Your insurance company's password-reset flow. Your email provider's account recovery. Every loyalty programme you absent-mindedly typed it into at a till.

The first role is the one most people think about. The second and third are the ones that matter for a messaging app. Handing over a phone number is not a technical step; it is handing over the most durable identifier most humans have, tied to their legal identity, cross-indexed across dozens of commercial and governmental databases.

▸ What a phone number is tied to
PHONE # legal ID BANK EMAIL TAX 2FA CARRIER LOYALTY INSURANCE DELIVERY
A phone number isn't a messaging handle. It's the joining key for ~a dozen systems that already have your legal identity on file.

When a messenger says "we need your phone number to sign you up," what it is actually doing is linking a messaging account to that key. The messenger may never use the number for anything else, and may encrypt message content perfectly. But the link, once made, is indelible. If the messenger is compelled to produce information — by subpoena, by a privacy policy update, by a change of ownership — the link is what it produces. Messages might be safe. The fact that you have an account, under your legal identity, isn't.

A phone number isn't a messaging handle. It is a government-issued identifier tied to your legal identity, given to a messenger in exchange for simpler onboarding.

§ 02The spam argument, and what's right about it

Signal's stated reason for requiring phone numbers, to be fair to them, isn't "we want to tie you to your legal identity." It is a genuinely hard engineering problem: spam and Sybil attacks. Without a costly-to-obtain identifier, it becomes trivial to create infinite accounts and flood the network with garbage.

Phone numbers are a reasonable proof-of-scarcity. There are only so many humans with only so many phone numbers, and obtaining a new one in most jurisdictions takes enough effort that an attacker can't spin up a million of them overnight. It's not a perfect signal — SIM farms exist, SMS services exist — but it raises the cost.

This is a real problem and we don't dismiss it. But we think phone numbers solve the problem in a way that has unrelated side effects (the legal-identity linkage above) that are too expensive for what they buy. If a thing is load-bearing for spam prevention and simultaneously links every account to a legal identity, we'd like a different thing for spam prevention.

§ 03How we actually do it

OpenDescent has no registration server, which means there's nothing to spam-protect at registration time. Your identity is an Ed25519 keypair generated on your device. Creating a new identity costs about as much CPU as scrolling past a photo. So how do we prevent a bad actor from creating a million identities and flooding the network?

Three mechanisms, layered:

  1. Invite-graph gating. You only receive messages from peers you've explicitly added — by username, by invite link, or by joining a hub. An identity with no invite in is a tree falling in a forest with nobody around: it cannot reach you. A new identity starts with zero social reach and has to acquire it the same way anyone else does, through other users choosing to connect to it.
  2. Trust-web reputation. When a contact vouches for another contact (see our trust web feature), the reputation of a key flows through the social graph. A fresh anonymous identity without a single vouch is treated with appropriate suspicion — the UI flags it, the contact knows nothing about it, and there's no list of strangers to flood because there's no directory of strangers.
  3. Proof-of-work for anonymous features. For the specific cases where anonymity is a feature (Dead Drops), we require proof-of-work per post. This makes high-volume spamming expensive in CPU terms. It's the same idea as hashcash, designed to make one-off use cheap and bulk abuse expensive.

Between them, these three mechanisms do the job phone numbers do for Signal, and they do it without requiring you to hand over a legal identifier to get a messenger account. We don't claim they're better than phone numbers for spam prevention. We claim they're sufficient, and that the trade-off in favour of not collecting phone numbers is worth making.

§ 04The principle underneath

The broader argument isn't about phone numbers specifically. It's about the default expectation of messengers that your identity should be a thing assigned to you by some external authority — a phone number, a government ID, an email address issued by a company. We think that's a historical accident, not a requirement.

Your identity on a messenger can be, and should be, a key you generated. A piece of cryptography that is yours the moment it exists, that proves who you are without needing a third-party authority to confirm it, that you can back up, re-derive on a new device, and throw away if you want to. The key is the identity. Everything else — usernames, display names, avatars — is a convenience layer on top of the key.

This is, incidentally, how Bitcoin addresses work. It's how SSH keys work. It's how PGP was always supposed to work. The idea that "proving who you are" can mean "demonstrating possession of a private key" is decades old. Messaging apps are unusual in having moved away from this model and toward phone-number-based identity, not because it's a better cryptographic idea, but because of a long chain of product decisions that prioritised smooth onboarding over user ownership.

Identity should be a key you generate, not a number you were assigned.

§ 05What it looks like in practice

What this means for you, as a user, is concrete. When you install OpenDescent, the app does the following:

There's no confirmation email because we have no email. There's no SMS code because we have no phone number. There's no "check your inbox" step. The setup flow is, mechanically, "open the app, save 12 words, pick a name." Total time: about 90 seconds.

And then, forever after, your identity is yours. If your device is destroyed, the 12 words bring your identity back on any other device. If you want a second identity for different contexts, you make one — the cost is zero. If someone wants to impersonate you, they don't have your private key, and they can't get it without your words.

If you want to see how this works in practice, download OpenDescent. The whole flow from installer to first message is under three minutes, and the absence of any "please enter your phone number" step is its own small pleasure.

▶ Download for Windows vs Signal — full comparison

§ 06What we're not saying

We're not saying Signal is wrong to require phone numbers. Signal is optimising for a different set of constraints — global scale, accessibility to non-technical users, a spam model that has to defend against very large adversaries. The phone number requirement solves real problems in Signal's architecture, and we have genuine respect for how Signal has navigated them.

We're also not saying phone numbers are evil. They are just wrong for this particular job. A phone number is a useful thing. Using it as the primary identifier for a messaging account, and tying every message and contact you have to it, is not what it's for.

The one thing we are saying, plainly and without much hedging, is this: if you are building a messenger in 2026, and you have the option of architecturally not needing a phone number, you should take that option. The spam problem is real but solvable. The cost of handing users' legal identifiers to every messaging company is higher than it looks, and the longer we all collectively do it, the harder it becomes to ask for anything else.

We'll never ask for your phone number. Not because we're making a dramatic statement — although it does read a little dramatic — but because we genuinely don't need it to do our job, and neither does any messenger that chooses to build this way.

Sources cited
Signal — Keep your phone number private with Signal usernames (2024) ↗ The Intercept — Signal's new usernames help keep the cops out of your data ↗ The Intercept — How I got a truly anonymous Signal account ↗ BIP39 specification ↗

Back to all posts