[steventhedev]

Consider the threat model:

An adversary takes over the email account, and checks if they reused their password on your site. If they didn't, then they'll try to reset the password, and you should check the second factor before resetting the password. If they did reuse their password, then you should check the second factor on login (assuming it's coming from a previously unrecognized source). At this point, the attacker will either give up, or attempt to contact your support channels, impersonating the user.

It's up to you what restrictions you place on your support mechanism for resetting 2FA. I would suggest a combination of the following:

- photo of a currently valid credit card associated with the account

- photo ID with address that matches billing address

- mandatory 7 day delay in the reset

- prove access to the payment method by issuing a payment for some fractional amount and request the amount, then refund it (or don't and keep it as a "security fee")

But no matter what you do, please please please be consistent. Train your entire support staff (if any), keep records of when people talk with you, don't disclose when the last time you talked was, and insist on following a process. If your process fails, see how and improve it.

[amf12]

> photo ID with address that matches billing address

Please don't do this. There are people who move often to not have their current address on their photo id.

[steventhedev]

For a business setting, that's a red flag for KYC, but for a B2C app, that's a very legitimate concern. If I were in that position, I'd probably just insist on seeing some proof that I can tie to the payment method, because otherwise how do I know you're John Smith from 123 Residential St, or John "the crook" Smith from the bad side of town? Bank statement, photo ID, etc.

Remember that this process needs to be painful. You already screwed up by losing your 2FA. It sucks, but if it doesn't, then it defeats the point of having that 2FA in the first place.

[greenleafjacob]

Photo ID is not used for authenticating that the person lives at the address. That's why voting registration or driver's license requires proof of residency [1]:

> A few examples of acceptable documents to prove California residency are:

> Rental or lease agreement with the signature of the owner/landlord and the tenant/resident

> Deed or title to residential real property

> Mortgage bill

> Home utility bills (including cellular phone)

> Medical documents

> Employee documents

[1] https://www.dmv.ca.gov/portal/dmv/detail/pubs/newsrel/newsre...

[testplzignore]

I've never understood why these documents are meaningful in any way. The people at the DMV aren't qualified to judge whether these documents are forgeries, and certainly not in the ~5 seconds they spend looking at them. Anyone with a printer and Microsoft Paint can produce one of these in two minutes.

[JCharante]

When I was getting my state ID, I wasn't prepared to have proof of residency, so I ended up downloading a bank statement from my mobile banking app, and presented the corner with my address & name on it to the clerk. I also wouldn't put much trust into the address information on IDs.

[casual_slacker]

Another example is WA state DoL, which does not automatically reissue (nor require) a new license when you update your address.

[DennisP]

For this to be a problem someone would have to lose their 2FA device, and their backup codes, and change their billing address but not the address on their ID. If all that does happen, they can solve it by updating their ID, which most states require within 30 days of moving anyway.

[greenleafjacob]

California drivers licenses are not reissued when you update your address [1].

> A new driver license, identification card or registration card is not issued when changing your address.

[1] https://www.dmv.ca.gov/portal/dmv/detail/online/coa/welcome

[sofaofthedamned]

Which is the correct answer, thank you. It does need to be painful otherwise it has no value. but it needs to be fair, for example I moved home a year ago with my now wife. Hireright needed utility bills in my name, but she pays them and I pay the mortgage. This caused a lot of stress. I swear a load of these gatekeepers have never tested or thought about this process.

[zodiac]

Or they could have used a billing address different from where they live to start with.

[steventhedev]

True.

I'd argue that trumps all other control over the account. If you can show that you control the payment method, then I'll accept you as the legitimate controller of the account. So, notarized, translated, and apostilled letter from the bank branch manager stating that you are the person in control of the account, sent by certified mail with signature delivery and I'll send you back a link to type in manually the same way.

As a shortcut, I'd say it's mostly safe to accept a picture of someone's face holding up their photo ID with the same billing address.

Or confirming the amount and/or origin (some banks/credit systems do not display the merchant name for some halfbrained reason) of a small transaction (e.g. 1.37 USD from merchant account ACMECORP-294817) that is refunded after a week.

[guan]

Also, some countries don’t issue photo IDs with an address.

[xfitm3]

A service I use requires me to resubmit my identification every year. Interestingly they do not allow scanned images. It must be a photo of the credential.

In another thread here users reported success in sending Facebook IDs that have been photoshopped.

We first all need to agree on how we will authenticate government IDs before we can trust them.