Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Passwordless is going to make this even worse - there's no migration path (yet) from platform ecosystems to each other. I've not seen any serious progress on how to switch from Apple to Google, which doesn't involve doing things one by one, site by site.

And more to the point, a way of handling "I've lost my phone and had to buy a new cheap one" seems to be a potentially problematic edge case. Bootstrapping trust and authentication for end users without any physical token is hard, but seems necessary, especially for non technical end users, for whom password reset processes might even be the default route of access.



2FA is any two of what you know, what you have, or who you are.

It would be so easy to have a Google Android/iOS app that lets you take a photo of a credit card matching a payment method from the Play Store or one of Google's paid services. That proves something you have in addition to your password.

Though, TBH, Amazon is probably in the best position to solve this problem. They have payment methods and they have physical presence everywhere. Companies like Google or whomever could hook into an Amazon API to verify identity with a one-time recovery code.

How do you get the recovery code? You show up at Whole Foods or Kohls or eventually even to an Amazon Hub Locker and prove your identity with a photo ID card. You're then provided a recovery code linked to one of your full legal name, an e-mail you've already had registered with your Amazon account, a phone number you've already had registered with your Amazon account, or a credit card number you've already had registered with your Amazon account.

A service that knows one of those things about you can then be recovered by submitting the key and selecting the link modality. (Keys submitted with the wrong link modality should be invalidated, obviously.)




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: