Ask HN: Would you use an email service that can only be reset in person?

24 points by trh0awayman ↗ HN
With retail on the way out, and lots of open space, I was wondering if anyone else would be interested in an email service that can only be password reset in person (using a variety of checklists to prove you're the rightful owner).

68 comments

[ 4.1 ms ] story [ 153 ms ] thread
I'm definitely not the target audience for this sort of thing so take my opinion with a grain of salt, but absolutely not.

I already have an unreasonable dislike for online services that have lengthy/complex password reset processes. Being forced to show up somewhere IRL to reset my password sounds like a fever dream to me.

It's not supposed to be easy to change these things. The easier it is for you to change legitimately, the easier it is for someone else to change illegitimately.
I'm not sure why you're being downvoted. There are better processes and worse processes. But there is absolutely a tradeoff between convenience and resistance to social engineering and other forms of attacks. Your Google account would absolutely be more secure if you could only make changes by showing up in Mountain View with 5 forms of ID between 2pm and 3pm on Thursday. And it would be less secure if you could just call someone up if you got locked out and asked them to pretty please reinstate your access.

Physical presence isn't a panacea but it offers a lot of protections vs. online or over the phone. There are certain financial transactions that I pretty much need to transact physically at least in part.

Why not just ask for a notarized letter? Its about the same difficulty to forge, but won't require users to drive across the country.
Of course it's an interesting idea, but the idea hasn't been fully had yet. "A variety of checklists to prove you're the rightful owner" doesn't actually mean anything without some examples of what the checklists are going to be.

Put another way, what does "security through obscurity" refer to? Why do we only use cryptographic methods that are totally explained, rather than those that keep their procedure secret?

Not the audience for this (who's the audience anyway? can't think of any), so definitely not, but that mechanism has at least 1 major flaw:

If a password is compromised / brute forcedthe attacker will have access to the victim's e-mail (or other data) until the victim makes the time to get around to resetting the password in person, which might take a while.

Possibly easily solved by making it easy to lock out (lock-out codes? Or an app with such a toggle?) if a person believes someone else has unauthorized access. The trade-off is an increased risk of inadvertent or malicious denial of service, but properly hardened those can be minimized.
I actually like the idea of improving security, especially for my main email on which many other identities depend, also for their password resets. Not sure how it would be implemented, perhaps tying it into the national id system or something (where available)? It does seem that any account important enough to warrant this level of security should also have excellent customer service/availability/emergency procedures.

Online IAM is hard.

I would be somewhat surprised if anyone at all would.
I would actively avoid such a service. The recovery process sounds outlandishly punishing without addressing a real issue. Any email service competing with, say, Fastmail would first have to offer feature parity and even then a marginally better password recovery would be a secondary feature.

My country offers several national digital identification services and if you can use one of those for password recovery, well that's a feature I would find interesting with my existing mail provider.

Having to show up in person would be a non-starter, especially if I had to travel far or had to show up during business hours.

I'm sceptical that it would provide much more security. Do you have the skills or technology to validate physical identification (drivers' licences, passports)?

What happens if somebody has lost their laptop and identification (fire, flood, theft etc)? They don't remember their password, and they are having a difficult time proving who they are?

How are you planning on dealing with people who are angry, aggressive or even violent?

What if somebody shows up armed and threatens your staff?

You fogot the what if scenario where an asteroid is headed towards the earth. I'm being sarcastic, because your comment is so ridiculous.

In all seriousness though, everything you pointed out is literally inconsequential to the question asked. It would 100% be more secure, requiring a state issued id card to reset your password. Plenty of people lose all forms of identification at some point in their lives, and while it sucks and take a bit of time, it's not an insurmountable obstacle, and will eventually be resolved.

Why are you acting like you don't understand? You seem like a smart person.

Plenty of people lose all forms of identification at some point in their lives

Yep. I lost my wallet once and my birth certificate was in another state at my parents at the time (and I had no passport). It took less than a day of leg work to get a new state driver's license and bank cards made. Frighteningly little security in that whole process. Had to go to the post office and get a voter registration card, take that and a bank statement/water bill to the DMV, and boom, I had a new ID. Did the clerk at the DMV compare me to my photo? If she did she never said so.

> It would 100% be more secure, requiring a state issued id card to reset your password.

You seem to be under the illusion that state-issued id cards and even passports are secure.

People are able to get them simply by showing a birth certificate, which is basically a piece of paper signed and stamped by a town official decades ago. Which comes down to trusting underpaid, overworked people (and possibly underqualified political appointees) who work at the local registry of births or drivers licensing agency or passport office.

Considering how important email is for peoples' lives nowadays (especially if it provides access to financial information), a state issued id may be a weaker link.

Are you able to detect forged passports and drivers licences? Will your business have insurance in case you make a mistake and reset the password for the wrong person?

Have you ever worked in an in-person customer-facing role before? You will encounter angry, sometimes aggressive people. If you're in the US, then expect some of them may be armed.

I've worked in those roles for many years. I also busted my ass in dangerous blue collar under the table jobs for years before I got into software and my current position. My first software job was 80 hours a week at a startup for 35k a year, and I was happy to do it because it was on the books and I wasn't in danger of getting crushed by heavy machinery.

Did I say that a state issued id would be the only form of id required to reset your password? No. That's pretty idiotic, and you know it would never fly in the real world. Come on, let's try and be an adult and stop with the straw man arguments.

There's so many avenues of attack for the current password reset process (sim swapping, identity theft) that another layer would definitely improve security. Should we not do it because "oh no someone can forge an id"?

Grow up and drop the straw man arguments.

You said in the comment that I replied to

> It would 100% be more secure, requiring a state issued id card to reset your password.

And when I criticize that, you say I am making a "straw man" argument.

I could be interested in this, but would have to be from a reputable company, not a small startup. The weak link in my security is SMS which most online accounts rely on, so until that problem is fixed the email is a secondary issue.
only be password reset in person

I like that idea. I could see something like this being partnered with brick-and-mortar banks or grocery chains. Many banks already deal with validating ID's and in some cases have free or discounted notary services for their customers. Or at least some national / international chain store. Some grocery stores already partner with banks and have a bank in a percentage of their grocery stores. I'm in the middle of nowhere but my near-by town has a bank and a grocery store.

The more I think about it, this would be more useful and scalable if it were not strictly an email service but rather an identity provider. Think SAML/Oauth provider that is highly extensible to email providers, app providers, SaaS /misc cloud providers, etc... A distributed LDAP managed by banks or grocery stores with simple and secure web front-end API's. By distributed I mean highly fault tolerant active-active in many regions and with many hourly backups in every region. LDAP can store email addresses, aliases, phone numbers and more. The management API would have to contain a distributed and highly detailed journal of who changed what, using some type of cryptographic proof.

If a person changes their email provider, app provider, cell phone provider, or anything else for that matter... then their identity follows them. They would already have in place that which they wish to share publicly and that which companies can use privately to ID them.

With retail on the way out, and lots of open space

I not so sure about the idea of picking up unused buildings. That would be a monumental cost for a single service and probably quite challenging to get funding for. Real-estate is a good investment but comes with a high burn rate insurance, maintenance, security, code compliance, etc... I think this aspect would require a remarkable business plan for investors to not be highly skeptical.

Banks already offer various notarizing services. If you want to require some sort of physical proof of identity, that's probably the most reasonable path that isn't too onerous outside of situations where everyone to a first approximation is in the same location anyway.
This was standard MO at my uni. Show up in person with ID during normal business hours and (re)set your password.

It was high friction by design. It only worked well because 98% of the entire user base lived within two miles of the IT office—and the amount of rage generated when a professor on sabbatical had to come back to campus just to reset their password was a sight to see.

Seconding this. That's how it works at my university.
> and the amount of rage generated when a professor on sabbatical had to come back to campus just to reset their password was a sight to see.

My personal experience is that these people are the most likely to have a dozen degrees and also a high success rate of being phished.

it was extra fun in the years of windows XP worms!

tenured professors will click on damn near anything except what you want them to, ive found.

I'd rather have an email service that has no password reset functionality. If I lose my private key, lock me out forever.
I've thought about this before, and there's a fundamental problem.

If there are just a few physical locations where the reset can occur, nobody who lives far from those locations can reasonably use the service. The risk is too great.

If there are lots of physical locations, then the whole purpose of the service is defeated. There's no way to control the people working at all those locations, and surely some of them will become compromised.

I think the only solution is to somehow integrate with something like a bank or post office that seem to have already solved the problem of operating many secure retail locations.

Yes! I came to the same conclusion. Realistically the post office is the best way to do this. Furthermore, what's always frustrated me is how identity in the US is associated with an address. Why not just generate a one time code that resolves to a registry, and enable the receiver to modify the address that the code resolves to. This could even be done while the address is in transit. This also has the benefit of not losing mail to old addresses anymore. As someone who's lived in an RV full time, this was a particularly frustrating problem for me.
LibertyX (cash to BTC company) did something similar - at first you could only buy from stores that had Qpay (mobile phone top-up provider) and had signed up with LibertyX. Then they came to an agreement with Walgreens/CVS to allow users to pay cash and get Bitcoin at most or all CVS and Walgreens locations in the nation.

USPS and banks already verify photo IDs on a daily basis and they're not afraid to work with companies to provide an additional service if the money is right. The problem for something like USPS would be paying enough up front to make it worth training and educating at least one or two individuals at every single post office in the entire United States on how to verify and reset the passwords.

Although I suppose a similar measure using existing systems would be to send a code via registered mail with a post office hold - ensuring that even if someone is able to request a password reset, they have to also be able to go to the local post office of said person, with a fake photo ID of that person in hand. If it needs to be even more high-security to ensure USPS is following protocol, then users can opt to send a current photo of themselves on registration and instead of a password reset code, they'd receive a video chat code which allows a trained employee at EmailCompany to see and talk to them briefly and verify it's the same user who registered the email.

I'm curious who this complex service would be used by - I'm assuming crypto exchanges, etc, but then that doesn't do anything for someone just getting your password and not needing to reset it. I suppose when you set your password you can receive a list of OTPs to use on session timeout/new device.

> There's no way to control the people working at all those locations

Except that you then give two examples of services that have solved this problem. I'm not saying that it's an easy problem, but it's clearly not impossible.

Fraud in banks and the post office is a thing that happens, though. If you are concerned about your employees being compromised then contracting with a third party whose employees you don't control and don't answer to you probably isn't the solution.
I'd rather not use email at all if I can help it.
If this service magically has convenient locations in every urban area in the world then maybe.

And what would this checklist entail? How would a random store employee be able to verify my identity?

Alongside simple banking, this is a service that should be offered, for free, by the US Post Office.
Sell it as a franchise model. Every neighborhood gets its own email server and backup, a webmail frontend, a user portal with billing and a service contract. Your franchise owners get Yubikeys or similar to authenticate themselves, and the right to fiddle with authentication for their users alone. They can set their own local prices, and provide as much or as little tech support as they want. Charge a small fee to migrate a user from one neighborhood to another. Offer neighborhood mailing lists. For a small fee, let people moderate their own lists, which don't have to be neighborhood-specific, but do have to be confirmed-opt-in; no bulk upload of subscriber addresses.
That sounds a little like what hosting cooperatives are doing! In France we have the CHATONS.org federation for those, in which a lot of FLOSS NGOs, unions and other local entities take part. On an international scale, it seems like libreho.st is listing a few such providers.

These services are not a "franchise" per se, so it's not exactly the same as what you were describing.

Cooperatives are an excellent model, too. I assumed the original poster was thinking about starting a for-profit business.
Yes, i personally have more trust in a workers coop with sustainable economics, than a profit-driven company driven by a CEO or a board of directors whose incentives have good chances of being misaligned with ours as users.

Webarch.coop and disroot.org could be named as two examples of well-operated hosting coops. The former is a traditional host (shared & managed hosting) operating as a workers coop, while the latter does only shared hosting as far as i know (targeting end-users more specifically).

I misread that as “in prison” and was briefly very confused about what kind of shady business model you were planning.
No. I like having my email service provider in a different jurisdiction than where I am geographically located so at the very least an international warrant is required for any evidentiary information. I'm not up to anything nefarious in any way, shape or form btw ... I just enjoy 'fuggin wid da man' and making their life slightly more difficult should the need ever arise :) so an 'In Person' password re-set would be out for me since international air-travel with the risk of in-flight diversion, an unscheduled stop-over diversion or flying over the ‘wrong’ country’s airspace would be unaccpetable risks but everyone has differing threat models and differing aims and objectives when it comes to security.

[Edit to Update]: It also strikes me as an excellent water-hole attack vector.... Attacker triggers a password reset and then just waits for you to show up to reset location and bam! you got your man or you can tail him back to his home and get them there. Useful against both bad guys and people with large cold wallets. Ouch (in more ways than one) but see my point above about differing threat models.

> making their life slightly more difficult should the need ever arise

Sorry to break it to you, but countries have had "Mutual Legal Assistance Treaties" for a long time. It's just another form that may take another day of two because of timezones.

https://en.wikipedia.org/wiki/Mutual_legal_assistance_treaty

Don't be sorry. I am / was already aware of those (in the trade referred to as MLAT's) so no reality-check needed (but thanks for pointing it out for other readers). Firstly, MLAT's are not Global (some countries play ball, some don't etc) but for that very reason I used the phrase "slightly more difficult" rather than any other word/phrase.
Not really. People that need this feature already have it (in a way) - in a given scope (government agencies, universities, some corporations & private companies etc). 99.999% of people simply don't need that level of security. How currently things work is fine balance between UX and security, minimal friction.
And yet millions of people find themselves completely lost when they loose access to their personal account, usually because their mobile phone broke down or was lost/stolen. I am a witness of *MANY* such situations every year in my under-populated countryside neighborhood and i wouldn't be surprised if over the past 5 years 30-50% (made-up numbers) of the local population had faced major administrative hurdles due to being unable to have an actual human on the phone or at the booth to answer a simple password reset request.

See also this HN thread from this week which details the problem: https://news.ycombinator.com/item?id=32304320

Yes, I'd actually prefer this.

BUT: The devil is in the details. How far will I need to travel to reset my email password? How diligent will the people be in verifying that I'm who I claim I am? How easy will it be to impersonate me and take over my account?

Personally, I think something like this needs to gravitate towards a government service.

Well, there are plenty of government-sponsored electronic ID solutions around. I'd be happy to use something like the key&cert on my ID card to log into a mail service.
I recently ditched a bank for having this issue after I had to drive 700 miles to reset my password.

Maybe if that email service was run by usps or something I would consider it.

Maybe if it were more focused on using email as an identity provider for other sites.

For example, Facebook started where people needed a university-validated email address to join. This allowed there to be a one-to-one matching of account and human. While there are some ways to do KYC online, I imagine an in-person solution might help a LOT. It couid still be tied to an email address, if you wanted, as it can be easy for sites to restrict login to specific email domains. I just think for me, what I want the most as a user and especially as a site designer, is a way to more confidently prove someone's identity or at least their humanness.

This makes an interesting low-drama example or case study of a polarizing idea.

Everyone here either loves or hates the core idea (the core idea not the details), but it's a safe difference not religion or guns etc. People on opposite sides merely think the others are crazy or stupid not evil or inhuman.

One thing I've observed; Of the people who like the idea, they often have alterations or improvements to suggest to address various facets of it. They say "the idea is good but there is a problem and maybe that can be addressed this way ...". Of the people who don't like it, few/none are criticizing any specific facets or suggesting ways to address them to still get the core ideas' safety benefit, nor explain how the core stated benefit is not needed because you get it some other better way. They only say "god no, why? no way"