[techsupporter]

A possible reason was called out in the article:

"Gandi’s paper 'email reset' form makes a lot of sense in the world where most of their customers are individuals or small businesses with one or two domains, and using addresses that they may lose access to. With no other factors, if they lose access to the email address and forget their password, there needs to be a process to regain access."

If a customer loses access to the one e-mail registered with GANDI (a small business signs up with their Earthlink.net address, moves, and now only has a Comcast.com address), there needs to be a way that allows an e-mail change without requiring positive confirmation from the old address. Having GANDI change process to disallow this when an account is 2FA-enabled is, to me, a reasonable compromise.

[facepalm]

Shouldn't they send out a paper letter to the owner of the domain then? That might be a better way to verify identity. Or use an actual "real world" identity check?

In Germany you can do that with the German mail system - the postman will then check your id and confirm you are who you claim to be. Certainly not foolproof, but just accepting incoming letters at face value seems crazy.

[Jhsto]

In Finland all changes to your .fi domain (renews, nameserver changes, etc.) are snail mailed to you. It was a confusing experience for me when I registered a .fi domain on Gandi, but still got all the mails sent to me. Also, I can't control my domain on Gandi, as the credentials were snail mailed to me by my country's authorities. The only place I can make changes to my domain is on Finnish authority's website - with the credentials which were snail mailed to me.

In here postmen only check your ID when receiving or retrieving packages, but I've understood that you can buy the same service for letters as well. Most online identity checks are made by logging in trough banks, which can verify your SSN and alike.

[facepalm]

It's probably too expensive to use as a standard method, but I would be willing to deposit some money with Gandi just in case they need to ID check me.

[Spooky23]

The US has this as well -- registered mail, which provides a full chain of custody for the letter. It's also a serious crime to provide fraudulent identification.

[ghshephard]

A better compromise is a 30 day lock down by default, with weekly, for three weeks, and then daily messages notifying of the change.

The alternative would be to go to a fastmail selected notary, and present appropriate identification material to them, and then pay a small fee to have an expedited (3 day) recovery process.

[7952]

Why not send a reset code to the registered address or phone number? Or they could pay some money into the registered bank account with a special code that would only be visible on a bank statement (like Paypal).

[danielweber]

People move physically and change their phone numbers, too.

You don't have a bad idea, you just need to consider all the effects.

[7952]

It is not like you have a perfectly verified identity in the first place. There are no photos or biometrics that could uniquely identify the person in the absence of the things like address or phone. Most websites do not verify identity but the provenance of the user (is it the same person?). Establishing actual identity is just more difficult and mostly unnecessary.

[danielweber]

For my personal domain, yes, that's overkill.

For the places where it's really necessary, like fastmail, they should have physical photos of all the principals on hand.

It's expensive, but it's also an extremely precious resource they need to guard at all times.