[dlss]

I'll take a stab at this.

Before I get in to it, we need to correct a misconception on your part: using a government ID doesn't work in every case. It turns out hackers know how to forge government ID images, and some of FB's users don't have government IDs (for instance, before I turned 16 all I had was a private school id).

With that out of the way, I think they should do what you suggested: sms verification. Email verification also works. As does postal mail. As does credit card charge. As does ACH charge. As does paypal charge. As does "send in a photo of you with a shoe on your head". As does having a user's friends vouch for them (they call their friends and ask). As do a lot of things.

Facebook should look closely at whatever attacker they are trying to lock out, and make several methods of ownership verification available. Maybe require two?

Requiring IDs just isn't a particularly good way to do it, and has bad PR effects these days.

[DominikR]

I do not think that every mechanism you proposed is viable, but generally I think you nailed it with this:

> Facebook should look closely at whatever attacker they are trying to lock out, and make several methods of ownership verification available. Maybe require two?

We might already see that, at least I have been prompted to validate once via email and once via text message before.

And then there are those questions Facebook asked me about some of my friends (do you know this person, is he/she real) which are obviously related to account verification in some way.

I also agree that it isn't smart to ask for IDs after all those NSA revelations.

[kalleboo]

> As does having a user's friends vouch for them (they call their friends and ask).

This is probably the most "Facebook" of the options. They already do something similar for some account lockout situations ("identify 5 photos of your friends to gain access").

[Macha]

This will be made difficult by people in your friends list using photos of cartoon characters, possessions, family members, significant others etc. as their profile photos.

If they go further and use photos that people are tagged in, then it also has problems of people being tagged in photos they are not present in to get their attention.

For example, in my friends list only around 70% of people have photos of themselves as their profile picture. Boy/Girlfriends and babies are the next most common picture.

Even if you recognise the specific picture, it might not be helpful. For example, two of my friends are dating, and use the same picture with both of them in it for their Facebook profile pictures.

[VLM]

"identify 5 photos of your friends to gain access"

Really? I don't use FB so I can't verify, but that sounds like an epic security hole for prankers, stalkers, ex's, and abusive spouses.

[singold]

I can confirm that this happened to a friend when accesin facebook from another country.

Also I remember reading an article (from HN) where some guy hacked a facebook account (if I recall correctly) and that was one of the steps (he and the hacked one where friends and coworkers so they had lots of friends in commmon)

[VLM]

Hmm, well hopefully just one of many steps and not "that's all it takes".

I'm no FB fan, but if they are using friends pictures as a CAPTCHA to verify the authenticator is a human not a automated computer, I grudgingly tip my hat in respect toward them. That would be much more elegant than the usual lame CAPTCHA.

This strikes me as it may become more of a problem as kids abandon FB and older people use it. The kid I sat next to in middle school lunchroom back when Reagan was president, and I clicked "yes" on his friend request out of guilt, well, I have no idea what the heck he looks like now. Ex-girlfriends? Well, I remember really well how she looked when she was 19, but that was a long time ago, and...

[tempestn]

That shoe-on-head verification could've been an awesome PR win too. (Assuming it was presented as one option among many. Best would be to offer the choice of several of the options you suggested, as well as the government ID option.)

[btbuildem]

It's not a bank account, or the controls of an ICBM.. What's the worst that will happen if you lose your FB account? You might blink a few times, snap out of the feedback look, and move on.

Of course FB wouldn't want that, but what they're doing doesn't seem to help user retention either.