[kels]

It would be nice if there was a good solution that companies could implement because this isn't just a fault of PayPal, this is most utilities, TV providers, etc. You can call up and pretend to be the account holder and as long as you have the address on file and account number you can gain access to a lot of things.

[allworknoplay]

There is, auth your users through google/facebook/whatever. It's really quite simple.

[drostie]

The problem is that then you need to force customers to be on Google/Facebook/whatever.

There was (Still is!) something very similar in an organization called CAcert[1], which was a predecessor to the current Let's Encrypt project (free SSL certificates) that hasn't succeeded dramatically because it hasn't been able to get its root certificate into browsers.

Basically they host parties, usually alongside a Linux or BSD conference, where trusted members will look at your legal documents and then affirm on their website that you are who you say you are. Some amount of "you are who you say you are" was then needed to get a free SSL certificate.

But imagine that in this context: everyone keeps one secure CAcert account, and then when you need to reset your password, some sort of OAuth handshake with CAcert proves it. You have one secure account with CAcert, and all of your utilities and cell phone stuff and PayPal will only reset your password with a handshake with the CAcert servers.

[1] http://www.cacert.org/

[allworknoplay]

You and the other responder to my comment both raise a point that is extremely important and near/dear to me. I talk constantly about the need to establish tech "utilities" that can offer pure commodity services without being compromised by things like a profit motive, need to grow, etc. Authentication is a perfect candidate for this.

However, even given such a pure, charitable utility, OAuth is still the best way to do this stuff, and that's really what I meant in my comment. Authing through a universal standard means you're not tied to ANY parties, and you can always offer the best of the bunch as an option. In fact, any such "utility" should enforce interoperability/standardization as a primary feature, lest it leave its users subject to economic/political volatility.

As for forcing customers to be on google/facebook/whatever, I see this as a sub-optimal practice insofar as it does NOT include such a pure utility, but not for any other reason. I don't have up to date data on the topic, but offering both Google and Facebook OAuth surely covers almost everyone, and even for the occasional user of neither it would still significantly reduce account proliferation and bad practices if everyone forced people to sign up for one of a few select accounts vs. the alternative of everyone rolling their own.

[Spooky23]

Two scenarios:

1. I don't have a Google or Facebook account. Does that mean I cannot buy electricity?

2. I have a Gmail account that I was invited to join in 2005. Google's only link to my identity is a Yahoo email account that was deleted in 2007. Is there sufficient trust to allow me to sign up for electricity?

[allworknoplay]

Hi -- great points, see comment I posted to the other responder: https://news.ycombinator.com/threads?id=allworknoplay

[mikelward]

As the article implies, call the customer back on their number on file.

I guess you need a process if they no longer own that number, but it's a start.

[yeukhon]

Most of the time they ask you for some four digit number, name, address and etc. I think the first two steps would be 1) send SMS message to the number, alert issue and have user read back the code, 2) access code sent to user's email address.

I remember there are banks give you biometric reader and only then you can log into your account. Cpatial One's mobile app allows you to use fingerprint to auth the app, great for convenient but we can probably make the app even more secure by demanding the same fingerprint used throughout. Of course, there have been some attacks on iPhone's fingerprint device, but first, you need to have access to that fingerprint, so most likely targeting at some big fish.

[newman314]

And what if your fingerprint gets stolen? Get a new finger?

Biometrics is horrible for auth. [1]

[1] https://technet.microsoft.com/en-us/library/cc512578.aspx

[yeukhon]

I did say there has been an attack on fingerprint in my comment above, BTW.

Everything can be stolen. I am not sure if you can stop identity thief. Someone would have done so if it can be stopped. The goal is to make stealing harder. Combine fingerprint with other verification (see above too). My original comment was on the fact that once you sign in with fingerprint, you are good to with for a duration (Captial One logs you out automatically after ~2 minute of inactivity on my iPhone, which is wayyyyyy more secured than other bank apps I have used).

[newman314]

Read the linked post. It explains why the distinction needs to be made between identity and authn/authz.

Point being biometrics is a bad idea to start with. CapitalOne doing this means they are failing to make the same distinction much like a 6 char password minimum etc. etc.

[mbroshi]

This could be a start: https://en.wikipedia.org/wiki/Estonian_ID_card