BlindPost
Every popular messenger asks you for a phone number at signup, with one exception (we'll get there). Some of them claim the phone number is "just for verification" and "not your identity." That claim is usually a marketing rounding error: the phone number is the identity in their system, in every sense that matters. You change your number, your account becomes unreachable. Someone steals your number, they get your account. The whole graph — who has your number, who you've ever messaged, who shares which group with you — is keyed by it.
BlindPost has no phone number. Not "we don't link your phone number to your account." There is no phone number anywhere. The signup screen doesn't ask for one. Our database has no column for one. Our SMS provider account doesn't exist, because we don't have an SMS provider.
Here's what that actually means, and what changes when identity stops being a phone number.
"But how do I recover my account?"
Two questions tend to follow when people learn we don't take a phone number:
Q: If you don't have my phone number, how do I recover the account when I lose my phone?
A: A 12-word mnemonic — generated during signup, with a one-screen "write this down somewhere safe" walkthrough. When you install on a new device, you type the twelve words back in, and your client regenerates the same keys you had before. Same identity, same address, same conversations on the same contacts and groups. No SMS code, no email link, nothing crosses our infrastructure.
Q: Twelve words actually feels short — won't someone just brute-force their way in?
A: No, by a margin of about 780 million × the age of the universe. We did the math in a separate post. Short version: a 12-word BIP39 mnemonic carries 128 bits of entropy, which is more possibilities than every grain of sand on Earth, more than every star in the observable universe, more than every atom in roughly 100,000 Earths.
The mnemonic is the only thing standing between "this account is yours" and "this account is lost." Treat it like a key to a safe deposit box: write it down, store it offline, don't photograph it, don't email it to yourself. Lose it and the device, and the account is unrecoverable — there's no support ticket that can help, because we hold nothing that could prove the account is yours.
What is "you" on BlindPost
When you install BlindPost and create an account, your phone generates a long-term cryptographic keypair — Ed25519 — locally. The public half of that keypair is your identity. Other people see a short string derived from it (a base58-encoded fingerprint); that string is what you share when you want someone to find you.
You back up the keypair by writing down a 12-word mnemonic. (We did the math on the mnemonic in an earlier post.) That mnemonic is also the only way to recover your account on a new device. If you lose the mnemonic and lose the device, you lose the account — forever. There is no "reset via SMS code." There is no "click here, we'll text you a link."
You can change your display name, your avatar, your bio. None of that changes who you are cryptographically. Your identity is the public key, and the public key never rotates.
What other messengers do — and where it leaks
WhatsApp uses your phone number as the account identifier. Your contacts find you by knowing your number; the server's contact discovery sees the entire address book you upload and tells you which numbers in it are WhatsApp users. Switch phones, the number stays. Switch the SIM behind that number — most jurisdictions allow SIM porting with surprisingly little verification — and the account follows.
Signal is significantly better than WhatsApp on most axes, but still requires a phone number at signup. Recent updates let you hide your number from contacts in favor of a username, which is a real improvement. The number is still in Signal's database, still tied to your account, still subpoenable, still vulnerable to SIM-swap takeover.
Telegram uses phone numbers similarly, with the additional twist that the server holds plaintext copies of non-secret messages.
The common shape: the company has your phone number. Any subpoena to the company gets your number. Any breach of the company exposes your number. Any SIM port of your number transfers your account.
What this changes about your attack surface
When BlindPost's server is subpoenaed, served a warrant, or breached, here is what's recoverable about your identity:
- Your Ed25519 public key (which is also your visible address — that information is public by design).
- Encrypted envelopes addressed to that public key (the sealed messages we've been describing in other posts).
- Last time you connected to our cluster (because we need to know whether a connection is live).
What's not recoverable:
- Your phone number — we don't have one.
- Your email — we don't ask.
- Your name — we don't store it on our side; whatever you set is local and shared end-to-end with contacts.
- Your address book — we don't sync it. There's no "find friends" wizard scanning your contacts.
- Your SIM card / IMSI / IMEI — irrelevant to our model; the phone is just a host for your key material.
This is what the absence of a phone number buys you: there is no thread that pulls "John Smith, 555-1234, signed up Aug 3" out of our records into a court file, no matter what the court asks for. The thread doesn't exist.
What this costs
We lose the easiest contact-discovery flow. You can't "open the app, see which of your phone contacts already use it, tap to add." That's a feature that only works if both your client and the server know your phone number. We don't, so we can't.
Instead you find friends by:
- Sharing your address — the base58 public-key fingerprint — via any out-of-band channel (paste it into a Signal chat, send it over iMessage, write it on paper). Or share an invite link, which is the same thing wrapped.
- Scanning a QR code in person.
- Joining a group via a link someone gave you, then discovering members within.
This is a real friction cost compared to WhatsApp's "upload your address book." We chose it because the alternative — collecting and storing phone numbers, ever — defeats the privacy point of the project. A privacy app whose database can be subpoenaed for an account's phone number is fighting with one hand tied; you're better off not asking for the number to begin with.
Closing note
The "phone-number-as-identity" model was a 2010s convenience, baked into Signal-era E2EE assumptions and never seriously rethought. It buys you SMS-based onboarding and frictionless contact discovery, both of which are real wins for adoption. It also gives the company — and through it the government — a permanent thread back to your real-world identity, your SIM swap risk, your billing address, your phone carrier's records, your call metadata.
We took the harder path. The mnemonic is the price; an identity that nobody else holds — not us, not your carrier, not a court — is what it buys.