undefined | Better HN

0 pointspwdisswordfish05y ago0 comments

> Without emails as the keys to the kingdom, what would you use?

PKI. Service providers shouldn't give you access to an account just because you can prove you control an email address (during a narrow and predictable time window, no less). The simplest thing would be to encrypt the relevant part of the payload (the one containing the password reset link), so resets are only possible if you can receive the email and have the means of reading it in its "true" form.

Failing that (suppose you've not just lost your password but also the ability to decrypt the contents of the message), there should be an alternative, but the threshold for proving your identity should increase. It would ameliorate a lot if it meant that people had to show up in person somewhere. E.g., I show up at either the business's local branch (if there is one) or the USPS (or...) with my photo ID. From there, an attestation is generated that you really are who you say you are, and only with that attestation will your account be unlocked.

0 comments

Moru5y ago

But Photo ID was forged long before the computers came along. There's always some way of getting around the security if you really want to. That is part of why we don't want to give in to electronic voting even though we work with computers.

pwdisswordfish45y ago

This is not a retort. The claim is not that photo ID is unforgeable. The claim is that "it would ameliorate a lot if it meant that people had to show up in person somewhere".

j / k navigate · click thread line to collapse

0 pointspwdisswordfish05y ago0 comments

> Without emails as the keys to the kingdom, what would you use?

0 comments

Moru5y ago

pwdisswordfish45y ago

This is not a retort. The claim is not that photo ID is unforgeable. The claim is that "it would ameliorate a lot if it meant that people had to show up in person somewhere".

j / k navigate · click thread line to collapse