Ask HN: Why is company letterhead a valid form of auth in 2022?
After filing a violation with twitter support for an account impersonating an opensource project I work on (posting fake news, etc) Twitter has asked that I verify myself as being part of the organisation being impersonated by providing a copy of my business card or a signed company letterhead.
This is not the first time I've been challenged to provide a company letterhead as a form of authentication by a large, reasonably sophisticated company. How is this still considered quality best practice?
36 comments
[ 2.4 ms ] story [ 84.2 ms ] threadAnyway, this is about shifting liability with minimal effort. As such, I'd consider it best practice. Of course, I'm using that term in a different way than you, but you just need to appreciate the goal here. It's not at all about "authenticating" you as a heretofore unknown, authorized member of the org -- that's extremely difficult, even at small scale.
Granted that's not to say people will actually verify passports using the data, but it is there compared to a letterhead being effectively just a random doc template.
and we have a central organisation called PRADO with information on how to verify any EU country's passport. https://www.consilium.europa.eu/prado/en/prado-start-page.ht...
It reminds me of how lawyers are happy to accept signatures by fax. You could be a rather lousy forger, yet because of the huge and extremely black pixels, still make a passable forged signature over fax. You can even tape a real signature on the page, or make numerous corrections, because the resolution simply cannot show any of those details. There is not much one would consider reliable about a faxed document.
The purpose of a lot of these sorts of requirements is not authentication. It's ensuring that if you do do it, you trigger the statutory requirement for some particular criminal offense. For example, a jurisdiction might have a crime of forgery which is substantially easier to prosecute than fraud (perhaps fraud would need the prosecution to prove intent to make financial gain, wheras forgery might be satisfied as soon as you can prove signature was forged -- hypothetical example, it will vary by jurisdiction and IANAL).
These sort of statues might have been written before computers or even faxes, and there might be caselaw to the effect that forging someone's signature and sending it by fax does satisfy its requirements of the offence, but none yet for just writing your name at the bottom of an email; things like that.
Legal auth is simply making sure they can sue you, and/or get you sent to prison if you circumvent their system.
Also, there isn't a standard way to identify a company and to validate its actions. A slightly better one (at least where Latin notaries exist) is that the company secretariat make a declaration of whatever and include a certified copy of the company registration that certifies that the said person is the secretary of the company, but you end up with the ID problem except that it's for companies. Maybe a standard "passport" identifying companies? Did I re-invent parts of apostille? (https://en.wikipedia.org/wiki/Apostille_Convention)
Time-tested and infallible - even more-so than the Pope, if it can be believed.
Huh? What "futuristic policy" -- the "futuristic policy" of not accepting something as moronically easily-fakeable as "company letterhead" for ID? That's not a "policy", it's just common sense. You should try that over on the other side of the Atlantic some time.
And it has nothing to do with "social media tech company"; I've never heard of any European company accepting something as moronically easily-fakeable as "company letterhead" for ID. Which is why I wrote "is an American company", not "is an American social media tech company".
It would be pretty cool if you could make your point without blaming an entire country for being luddites though. There's plenty of "cutting edge" "future thinking" companies in the US. Sometimes, old tech is the best tech especially when paper tends to last a lot longer than even governments.
Sure. But guess why it's so "tired"? Because you get ao much of it. And why, do you think, do you get so much of it? Because it's true.
> I'm pretty sure Europeans still use corporate letterhead as a type of legal guarantee.
And I'm pretty sure they don't.
> It would be pretty cool if you could make your point without blaming an entire country for being luddites though.
Of course I could, for most points, but not when precisely that is my point. Well, not luddites, exactly, because they were anti-technology. My point is more just... Backwards. Anti-common sense.
> There's plenty of "cutting edge" "future thinking" companies in the US.
Sure. Which makes it so much weirder that the population, on the whole, conducts so much of their lives in such ludicrously outdated and non-sensical ways: Getting paid, or paying stuff, by sending paper cheques -- OK, checks -- hither and yon. Using what should be just a unique identifier -- your social security number -- as the authentication ("password") of that id more often than not. Using weird 18th-century units of measurement...
> Sometimes, old tech is the best tech especially when paper tends to last a lot longer than even governments.
Exactly. But not paper checks, ferfuxxake...
And hey, sometimes you do stuff that doesn't really make sense, precisely not to be "luddites". One example that comes readily to mind (because I've wondered over it for a long time -- at least 22 years) is: What other reason could you possibly have to run your elections the weird way you do, than to get to feel "We're the most advanced in the world, because We Vote With Machines"? Yeah, you do... And then you get ambiguous forms, Looney-tunes theories about the Machines being hacked via Italian spy satellites, and of course the infamous Hanging Chads. Gaah!
Yet another weirdity that you, AFAIK, are the only country in the world to do. Just go back to scraps of paper, envelopes to put them in, and plywood boxes to put the envelopes in. And then, since you have people from both parties at all election venues keeping an eye on things anyway (it's the law, isn't it?), just have those people empty the boxes, open the envelopes, and count the scraps of paper -- just like us luddites in the rest of the world.
See? I'm not at all saying that you're necessarily weird because you're behind on tech; just that you're weird in general, sometimes by leaning too much into tech.
Plenty of "open source projects" are nothing more than some informal group working together. It's not like they are registered with the government.
But don't take my word for it. Read what Adam Smith had to say about it first in the Wealth of Nations. https://www.ibiblio.org/ml/libri/s/SmithA_WealthNations_p.pd...
But I suspect this has a lot more to do with proving that you are explicitly representing yourself to them as a member of the organization; not proving that you actually are part of the organization.
That seems more secure than physical signatures and letter heads, that can presumably be easily forged.
But Keybase seems not developed anymore. Does anyone know what’s the situation?