[livueta]

Oof, that's not good. As a Fi user, I'm pretty angry at the moment even though I got the other version of the notice. That's because one of the main reasons I was using Fi in the first place was the perceived protection against sim swapping, via a super locked down special purpose Google account and the apparent inability of T-Mobile CSRs to access Fi customer data. The first thing I thought upon reading the notice was usefulness for sim swapping, and my heart fell upon reading your comment.

Good reminder that SMS 2fa fucking sucks and so do the institutions that insist on it, especially those that offer other forms of 2fa but treat SMS as a fallback (why why why why why).

[georgyo]

The why is obvious.

People will lose their 2FA. It's a fact of life. Lost keys with your yubikey. Broken phone without a backup of your totp. Etc.

After that, how do you prove that someone owns their account?

Send a photocopy of your passport? No way to edit a picture, right?

Answer some security questions, which you certainly forgot the answer to. And people are likely using the same questions with the same answer on many sites.

Tell them tough luck?

The problem is there isn't a good answer for the most common failure mode. SMS 2FA isn't perfect, but it is accessible to nearly everyone and delegates ownership proof to the telephone company.

[foepys]

In Germany there is a process called PostIdent by Deutsche Post. Any business can send you a QR code which you take to the local post office and a teller will verify your ID. The business is being notified next to instantly and you can proceed with whatever is needed.

It's a nice and smooth process.

Businesses could also use the German government ID, which has a chip with cryptography functionality built in.

[sofixa]

> Businesses could also use the German government ID, which has a chip with cryptography functionality built in.

Same goes for the whole EU, it's in the new ID card standard: https://en.wikipedia.org/wiki/National_identity_cards_in_the...

I hope we start seeing some neat use cases with them. Being able to cryptographically (and in some cases anonymously) prove one's unique identity online would be pretty cool.

[cyberpunk]

BankIdent is also quite smooth, a simple bank transfer to confirm your identity.

[sjf]

I have used both. During that time I've lost access to SMS due to my phone breaking (twice), I have lost permanent access to online banking because the bank will not accept an international number. I came extremely close to losing access to my entire Google account because I use Fi and you need to sign into Google to activate it on your phone, but you need to be able to receive SMS to sign in to Google.

Meanwhile, I have multiple yubikeys that are as hard to lose or break as a house key. Google is kind of the only site that supports hardware tokens, but you can add multiple to your account. I can't think of a single site that allows multiple phone numbers for SMS 2fa.

[koolba]

> I have multiple yubikeys that are as hard to lose or break as a house key.

Unfortunately, hard and easy are interchangeable in this sentence. And if you lose your house key you can always call a locksmith or just break a window to get inside.

Even if you don’t have identification on you, if the cops show up you can have your neighbors vouch for you (assuming the cops don’t already personally know you).

[sjf]

It's not the same though. You can never do the equivalent of locking your yubikey inside the house.

[lamontcg]

Yeah I've got enough yubikeys that I'm very unlikely to lose them all. The only thing that I'm vulnerable to right now is a house-burns-down kind of situation, and I'm considering storing a yubikey at someone else's house to get offsite backup.

[herewulf]

The solution is a government issued key pair. Probably on a Yubikey type of device. Replacing a lost one of those is then the same process as replacing a lost driver's license / passport / other government issued identification.

By 2023 it's high time for these forms of identification to catch up with the digital age. It's high time to end the joke of verifying identity by birthday, SSN, "in-security questions", and other easily leaked information. And obviously 2FA by SMS is not good either.

[ridgered4]

I can't say the idea of a verifiable government id being demanded by every social media or other sign up sounds that thrilling to me. It'll just be facebook demanding a scan of your driver's license in a different form. The SMS verification step where you phone number is demanded "only for security" (and then used for advertising 10 minutes later) is bad enough, but at least it is still possible (if onerous) to get some some separation there.

I'd honestly just prefer TOTP or hardware tokens be mandated as an option for 2FA if you offer it.

[arcticbull]

I think Estonia started doing this like 20 years ago. [1]

[1] https://e-estonia.com/solutions/e-identity/id-card/

[fsh]

The German national ID contains an NFC smartcard since 2010. Unfortunately, adoption has been quite slow. Many companies still use some wonky video based authentication procedure. I guess they believe that installing a separate app is too hard for many users, and filming the ID is easier.

[nytesky]

We should just have state issues licenses with chips. At the bank I show my license; on bank website it reads the chip and pin off my license.

[m4rtink]

Not to mention most of the "replacements" are often service specific authenticator apps of dubious quality that might even refuse to run on your device for various reasons.

In comparison SMS works the same for all services - its an easy choice.

[debarshri]

Recently, Instagram asked to verify an account I have been using for past 2 year. Spent over $100 on ads.

I felt stupid and embarassed taking my own selfie with a piece of paper with a number written on it. But then I would have lost my account, had to do it.

[GravityisaHoax]

Venmo requested the something similar from me a few years ago for an account with 0 activity. Except they wanted a passport or driver's license with a selfie. This was an account without any bank account or cards attached to it. I hadn't used it to pay or receive any money. But it wasn't a new account. I had for like 3 years and just never used it like I thought I would need to.

I understand needing to verify the identity of people transferring large amounts of money, but it was a ridiculous ask for someone who just wanted it to send a friend 10 bucks for lunch. I just used another app, and my identity is still frozen in Venmo to this day. The silver lining is that no one can open an account with my information to circumvent the freeze, so I'm safe in that respect on Venmo.

[2Gkashmiri]

i used to use linkedin from a different location from my current one. i didn't think about this but when i tried to log in from my present location, it said something bullshit about "security" and now i am forced to upload my passport for verification and they pinky promise to delete the photo after verification. no fucking way

[hellotomyrars]

Facebook decided they wanted my drivers license to verify my account that I wanted to log in to to pull some very old pictures off of it and never think about it ever again.

You have to use the camera on a device, you can’t upload an image file (which just makes things more obnoxious, not any more secure) They tell you they’ll keep the photo stored for a year to better improve their process or whatever other bullshit. You can opt to have them only store it for one month (how nice of them) but when you do that I totally resets the flow of everything so you have to do everything all over again and it makes it seem like you’re stuck in an endless loop of doing that so you’ll just let them keep it for a year.

I caved and did it. There was no time to verify. I was just able to login.

So no, they didn’t need it for any actual verification or security reason. They just wanted the data. It’s almost funny how naked it was.

[yencabulator]

Well, banks seem pretty happy with the safety of USPS for sending cards, so how about sending the person a letter with a one-time code?

The multi-day delay even sounds like a good idea, in case someone triggers that system with the intent to steal mail -- it gives the still-able-to-login real user time to veto it.

(If you want a level of anonymity, you can rent a PO box, use a commercial mail handling agent, register c/o a lawyer, etc.)

[gleenn]

Solution is multiple yubikeys or printing out backup codes.

[nirvdrum]

How are you handling multiple Yubikeys? I'm doing it personally and it's so annoying that I can't imagine recommending this to anyone else. Since I'd hate to lose access to everything if my house burns down, I keep a key outside of the home. Of course, for that key to be useful, I need to update it whenever I use my key on a new site/service. Dropping everything to go fetch my key is inconvenient, so I keep multiple keys in the house. That way I can add two keys to a service and have a local backup in case one breaks. But, then I need to remember to actually add the off-site key to the account as well.

Maybe I should just round-robin the off-site key. It's just tedious to keep track of what's been registered with which key and making sure they're all in sync. I really wish there were a secure way to simply have a key backup.

Not to mention, this is kind of expensive and also non-obvious as Yubikey primarily sells single keys. I'd love to see wider adoption, but can't see the general population putting up with this.

[avh02]

This has been what stops me from going full webauthn, instead right now I use 3 yubikeys with pass (password store) and encrypt with 3 separate gpg keys (one private key stored on each yubikey), I haven't touched one of the yubikeys in a year but I know that if I lose the other two it can still decrypt my passwords.

The disadvantage here is obviously it's just another password manager instead of taking full advantage of hardware tokens, but I want to be able to enroll passwords or tokens without the key present all the time. (Also, yubikeys have limited slots for keys)

[zikduruqe]

> this is kind of expensive and also non-obvious as Yubikey primarily sells single keys

Unless you need the GnuPG or SSH applets, I just use the $14 FIDO keys from Identiv. They are also NFC capable for my mobile devices also. I keep one at my office, one at home and carry one in my pack.

I too wish there were a way to keep them in sync or back them up.

Maybe a virtual FIDO key? https://github.com/bulwarkid/virtual-fido

[wepple]

Fireproof safe, and living in an area where the fire department would be able to get the fire under control fast enough that I would hopefully not need 1/10th of the capability of that safe.

Edit: also, if your house burns down, won’t you probably have your keys on you if you’re not home?

[nirvdrum]

Although these keys are intended to be stored on a keychain, I don't know of anyone that actually uses them that way. If you work remotely, there's just no need to have your keys on you most of the time. One of my keys is a 5C Nano and it just sits in the laptop all day long. So, if my house burns, I'm losing any keys in the house along with it.

As for a fireproof safe, I do have one, but they're rated for X hours and degrade over time. I should probably get a new one.

[tke248]

I had a good fireproof safe burn once it fused the sand or whatever material is between the layers of metal. I was never able to get back into it.

[artdigital]

I just have one in my drawer and one in my bag / always connected to my Mac

Then a printed backup sheets like 1password somewhere offsite (still needs master password to be usable)

[microtheo]

I use Windows hello and Apple passkey as secondary fido devices, isn’t that a valid method??

[nirvdrum]

Maybe? I really don't know. I dual-boot a Linux & Windows workstation and have a macOS laptop, so I haven't looked too deeply into platform-specific solutions. For now, I stick with Yubikeys. Complicating things further is for some accounts I'd like to give my wife access and she has her own keys and own devices. I've hit the key registration limit on some sites.

[idontwantthis]

The one time I had to use backup codes with Google they simply didn't work. Fortunately I was still logged on at my home comptuer.

[mjg59]

Fi is an MVNO - there's apparently some sort of magical mapping between Fi numbers and network-specific numbers that still end up on the network's infrastructure (there apparently used to be issues with 911 operators seeing the network-specific number rather than the actual Fi number), and the mapping of that network-specific number onto an IMSI is still going to be under the control of that network. It's possible to block front-end agents from being able to do anything with that, but if someone compromises network infrastructure then it seems like it's hard to protect against it?