| What I'd like is a hierarchical system. You verify your identity with one or more level 0 identity services. Level 0 services would be the most secure, but as is often the case that heightened security would likely come with a cost. It would likely take some effort to establish your identity with a level 0 provider. It might also might take some effort to use a level 0 provider to prove you identity to someone. Level 1 services would be built on top of level 0. You make an account at a level 1 service using a level 0 service to prove your identity. Level 1 is likely not as secure as level 0, but it is easier to work with and to use when providing identity to someone else. Similarly, level 2 builds on level 1, and so on. Some of the services at these levels might function both as identity verifiers and as providers of end user services. Level 0 would best be handled by long lived entities that have actual offices that you can visit. Banks would be a good candidate for providing level 0. To set up an identity account at level 0 you'd have to show up in person and with whatever proof of identity is generally required in your jurisdiction to prove identity. Some good entities that might provide level 1 service are domain registrars and email hosting companies. The key things they would have to do to be a level 1 service is (1) let you associate your account with an identity proof from a level 0 service, and (2) set a flag on your account that says anyone claiming to be you trying to recover from a lost password or lost 2FA token or something must verify against the level 0 service to prove they are really you before recovery is allowed. Lets say I'm using my domain registrar for level 1. For me then level 2 might be my email host. An email host acting at level 2 for someone with their own domain would be similar to an email host acting at level 1, except you associate the account with the domain and anyone trying to take the account has to prove ownership of the domain. Below that I'd then use my email as my identity at places like Facebook, my ISP, Amazon, and anyplace else I need to create an account. Account recovery would require being able to respond to emails sent to me. Then maybe below that I might use login by Facebook or login by Apple at a few places. (I normally just go for traditional email/password if I can, but sometimes a site or service makes that so painful I give up. For example the McDonalds mobile app. But that's a rant for another time...). Level 0 providers would also provide something like certificates of identity. That would be a way to get a certificate from them that says that at the time the certificate was issued the person with real identity X, which they have verified in person, is also the person with email address Y (or telephone number Z or whatever), and they have verified this. So if I need to prove to say Facebook who I really am, I can get such a certificate from my level 0 provider and give Facebook a copy. With this we can continue to use the fairly simply way we identify ourselves to most sites (email), but if we have to we have a good way to prove real identity, and we have a reliable way to recover if our account at a site gets compromised by anyone short of a major state actor. If end sites get compromised, email recover works. If email gets compromised, that can be recovered based on domain ownership, and then once email is recovered end sites that were compromised via the compromised email can be recovered. If my domain gets compromised that can be recoved by going to my level 0 and using that for domain recovery, then I can recover email, and then end sites. |
And again, it would be opt in, just like verifying with Facebook / Twitter etc is opt in. And for people who are concerned about government surveillance, they can already do that if you verify your social media account via your credit card, that's kind of the point there, that the credit card ties a social media account to a real world person.