[nerdsniper]

The issue is less about having an ID on file, and more about verifying ID. In a world of excellent real-time deepfakes, how would GitHub verify ID at scale?

A fake ID is pretty easy to create, along with a fake face for a video chat where you can hold up your fake ID.

[alwa]

I think that part is made easier by the fact that I uploaded the ID in the first place under fully trusted conditions.

If I have the same physical piece of ID—as I imagine OP might have, upon release from prison—then they can directly compare it to the copy that I supplied previously. Scuff marks and specific document numbers included. I think that probably even scales.

If I lose access to my main identity document, one advantage of government ID is that I’ll urgently have it reissued. In most of the places I’ve lived, that’s the kind of thing you can validate against either the underlying authority or a sleazy-but-reasonably-accurate data broker. But in either case it’s out-of-band from my relationship with the tech company, in a way they can validate by semi- or fully-automated means, and with reference to an independent authority.

If somebody wants to physically mug me to steal my ID for access to my GitHub, I figure I’m pretty much out of luck—to paraphrase James Mickens [0], Mossad’s gonna Mossad.

[0] https://www.usenix.org/system/files/1401_08-12_mickens.pdf

[true_religion]

You don't have to do things "at scale". Github could require a substantial financial transaction to cover all the costs associated with ID verification and account re-instatement, as well as keep backups before that point so if it's proven after the fact that it was fraud, they could restore to the original state.

Like my data center (not US based) has a process where if you lose all of the documentation proving that a server is yours, you can go on site physically with ID, and the police and/or national identity service will verify on the spot that your finger prints match what is on file for the ID. It costs something like $300 and you risk being arrested if you're a criminal.

[filearts]

An idea might be to require a financially meaningful deposit to pursue an account recovery like this. The deposit would be forfeit if the identity verification failed.

Though now that I write this, it creates a perverse incentive for a company to collect deposits and deny account recovery.