If you just want to send a code, and you want to tie it to some kind of identifier token, take the less-than-a-day that it takes to add normal "trusted third party" authentication, where you ask google/facebook/github/whoever to confirm this is a real person.
And then you don't have to save any personal information, either (which laws both in the US and EU say includes phone numbers), which means you also can't LEAK personal information when someone inevitably gets into your database.
Hey TheRealPomax, just reading this. Super fair point about the phone number. It was only meant to be there for keeping the login convenient for mobile users through Twilio verify. Totally see your point though and I can see how this could be interpreted instead. Will be changing this to email/username instead. Really appreciate the feedback, it's incredibly helpful. Thank you.
