Ask HN: Would you use an email service that can only be reset in person?
With retail on the way out, and lots of open space, I was wondering if anyone else would be interested in an email service that can only be password reset in person (using a variety of checklists to prove you're the rightful owner).
68 comments
[ 4.1 ms ] story [ 153 ms ] threadI already have an unreasonable dislike for online services that have lengthy/complex password reset processes. Being forced to show up somewhere IRL to reset my password sounds like a fever dream to me.
Physical presence isn't a panacea but it offers a lot of protections vs. online or over the phone. There are certain financial transactions that I pretty much need to transact physically at least in part.
Put another way, what does "security through obscurity" refer to? Why do we only use cryptographic methods that are totally explained, rather than those that keep their procedure secret?
If a password is compromised / brute forcedthe attacker will have access to the victim's e-mail (or other data) until the victim makes the time to get around to resetting the password in person, which might take a while.
Online IAM is hard.
My country offers several national digital identification services and if you can use one of those for password recovery, well that's a feature I would find interesting with my existing mail provider.
I'm sceptical that it would provide much more security. Do you have the skills or technology to validate physical identification (drivers' licences, passports)?
What happens if somebody has lost their laptop and identification (fire, flood, theft etc)? They don't remember their password, and they are having a difficult time proving who they are?
How are you planning on dealing with people who are angry, aggressive or even violent?
What if somebody shows up armed and threatens your staff?
In all seriousness though, everything you pointed out is literally inconsequential to the question asked. It would 100% be more secure, requiring a state issued id card to reset your password. Plenty of people lose all forms of identification at some point in their lives, and while it sucks and take a bit of time, it's not an insurmountable obstacle, and will eventually be resolved.
Why are you acting like you don't understand? You seem like a smart person.
Yep. I lost my wallet once and my birth certificate was in another state at my parents at the time (and I had no passport). It took less than a day of leg work to get a new state driver's license and bank cards made. Frighteningly little security in that whole process. Had to go to the post office and get a voter registration card, take that and a bank statement/water bill to the DMV, and boom, I had a new ID. Did the clerk at the DMV compare me to my photo? If she did she never said so.
You seem to be under the illusion that state-issued id cards and even passports are secure.
People are able to get them simply by showing a birth certificate, which is basically a piece of paper signed and stamped by a town official decades ago. Which comes down to trusting underpaid, overworked people (and possibly underqualified political appointees) who work at the local registry of births or drivers licensing agency or passport office.
Considering how important email is for peoples' lives nowadays (especially if it provides access to financial information), a state issued id may be a weaker link.
Are you able to detect forged passports and drivers licences? Will your business have insurance in case you make a mistake and reset the password for the wrong person?
Have you ever worked in an in-person customer-facing role before? You will encounter angry, sometimes aggressive people. If you're in the US, then expect some of them may be armed.
Did I say that a state issued id would be the only form of id required to reset your password? No. That's pretty idiotic, and you know it would never fly in the real world. Come on, let's try and be an adult and stop with the straw man arguments.
There's so many avenues of attack for the current password reset process (sim swapping, identity theft) that another layer would definitely improve security. Should we not do it because "oh no someone can forge an id"?
Grow up and drop the straw man arguments.
> It would 100% be more secure, requiring a state issued id card to reset your password.
And when I criticize that, you say I am making a "straw man" argument.
I like that idea. I could see something like this being partnered with brick-and-mortar banks or grocery chains. Many banks already deal with validating ID's and in some cases have free or discounted notary services for their customers. Or at least some national / international chain store. Some grocery stores already partner with banks and have a bank in a percentage of their grocery stores. I'm in the middle of nowhere but my near-by town has a bank and a grocery store.
The more I think about it, this would be more useful and scalable if it were not strictly an email service but rather an identity provider. Think SAML/Oauth provider that is highly extensible to email providers, app providers, SaaS /misc cloud providers, etc... A distributed LDAP managed by banks or grocery stores with simple and secure web front-end API's. By distributed I mean highly fault tolerant active-active in many regions and with many hourly backups in every region. LDAP can store email addresses, aliases, phone numbers and more. The management API would have to contain a distributed and highly detailed journal of who changed what, using some type of cryptographic proof.
If a person changes their email provider, app provider, cell phone provider, or anything else for that matter... then their identity follows them. They would already have in place that which they wish to share publicly and that which companies can use privately to ID them.
With retail on the way out, and lots of open space
I not so sure about the idea of picking up unused buildings. That would be a monumental cost for a single service and probably quite challenging to get funding for. Real-estate is a good investment but comes with a high burn rate insurance, maintenance, security, code compliance, etc... I think this aspect would require a remarkable business plan for investors to not be highly skeptical.
It was high friction by design. It only worked well because 98% of the entire user base lived within two miles of the IT office—and the amount of rage generated when a professor on sabbatical had to come back to campus just to reset their password was a sight to see.
My personal experience is that these people are the most likely to have a dozen degrees and also a high success rate of being phished.
tenured professors will click on damn near anything except what you want them to, ive found.
If there are just a few physical locations where the reset can occur, nobody who lives far from those locations can reasonably use the service. The risk is too great.
If there are lots of physical locations, then the whole purpose of the service is defeated. There's no way to control the people working at all those locations, and surely some of them will become compromised.
I think the only solution is to somehow integrate with something like a bank or post office that seem to have already solved the problem of operating many secure retail locations.
USPS and banks already verify photo IDs on a daily basis and they're not afraid to work with companies to provide an additional service if the money is right. The problem for something like USPS would be paying enough up front to make it worth training and educating at least one or two individuals at every single post office in the entire United States on how to verify and reset the passwords.
Although I suppose a similar measure using existing systems would be to send a code via registered mail with a post office hold - ensuring that even if someone is able to request a password reset, they have to also be able to go to the local post office of said person, with a fake photo ID of that person in hand. If it needs to be even more high-security to ensure USPS is following protocol, then users can opt to send a current photo of themselves on registration and instead of a password reset code, they'd receive a video chat code which allows a trained employee at EmailCompany to see and talk to them briefly and verify it's the same user who registered the email.
I'm curious who this complex service would be used by - I'm assuming crypto exchanges, etc, but then that doesn't do anything for someone just getting your password and not needing to reset it. I suppose when you set your password you can receive a list of OTPs to use on session timeout/new device.
Except that you then give two examples of services that have solved this problem. I'm not saying that it's an easy problem, but it's clearly not impossible.
And what would this checklist entail? How would a random store employee be able to verify my identity?
These services are not a "franchise" per se, so it's not exactly the same as what you were describing.
Webarch.coop and disroot.org could be named as two examples of well-operated hosting coops. The former is a traditional host (shared & managed hosting) operating as a workers coop, while the latter does only shared hosting as far as i know (targeting end-users more specifically).
[Edit to Update]: It also strikes me as an excellent water-hole attack vector.... Attacker triggers a password reset and then just waits for you to show up to reset location and bam! you got your man or you can tail him back to his home and get them there. Useful against both bad guys and people with large cold wallets. Ouch (in more ways than one) but see my point above about differing threat models.
Sorry to break it to you, but countries have had "Mutual Legal Assistance Treaties" for a long time. It's just another form that may take another day of two because of timezones.
https://en.wikipedia.org/wiki/Mutual_legal_assistance_treaty
See also this HN thread from this week which details the problem: https://news.ycombinator.com/item?id=32304320
BUT: The devil is in the details. How far will I need to travel to reset my email password? How diligent will the people be in verifying that I'm who I claim I am? How easy will it be to impersonate me and take over my account?
Personally, I think something like this needs to gravitate towards a government service.
Maybe if that email service was run by usps or something I would consider it.
For example, Facebook started where people needed a university-validated email address to join. This allowed there to be a one-to-one matching of account and human. While there are some ways to do KYC online, I imagine an in-person solution might help a LOT. It couid still be tied to an email address, if you wanted, as it can be easy for sites to restrict login to specific email domains. I just think for me, what I want the most as a user and especially as a site designer, is a way to more confidently prove someone's identity or at least their humanness.
Everyone here either loves or hates the core idea (the core idea not the details), but it's a safe difference not religion or guns etc. People on opposite sides merely think the others are crazy or stupid not evil or inhuman.
One thing I've observed; Of the people who like the idea, they often have alterations or improvements to suggest to address various facets of it. They say "the idea is good but there is a problem and maybe that can be addressed this way ...". Of the people who don't like it, few/none are criticizing any specific facets or suggesting ways to address them to still get the core ideas' safety benefit, nor explain how the core stated benefit is not needed because you get it some other better way. They only say "god no, why? no way"