Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

When i lost my phone and was locked out of 2fa, most services required a picture of me, with my ID, my face and a letter showing the date all in the same picture.

This seemed pretty effective to me.



Google doesn’t have a picture of me linked to my gmail account, so this would require as much planning as printing 2fa backup codes right?


They would use photo ID the same way everyone else does. Compare the photo on the ID to the picture the person provides; which is why it needs todays date in the photo.


All that proves is that there is a person who matches the photo on their ID? It doesn’t prove it is the account owner unless the ID and personal information is stored with google ahead of time. And now you have people upset about google asking people for id to sign up, like their children for a school account and other people like me upset that my account was phished. I don’t think they even have my real birthday on my account, at least I don’t remember being required to share it.


2FA should not be a requirement.

If you want to enable 2FA, Do one of the following - upload the front and back of your ID - UBI Key or other hardware Cert, - etc. etc.

2FA by phone is a flawed architecture due to being subject to change. Sim-swaps are a known vulnerability.

But mainly, do not force me to have 2FA.


Not for people who are homeless or don't have an ID for whatever reason, and need access to social services.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: