In Germany every service that you can sign up for online but requires proof of who you are uses something called "PostIdent" -- and its a service offered by the post office where you take the form in with your passport (or ID card) and they punch all the details in the computer and 'verify' it's you. In a (more) secure future, I see this being the real password recovery mechanism. The other technique used by online banks etc... is to send your password reset to you by mail. This assumes that physical mail to your registered address is more secure than online quizzes.
I think both of these options will become the standard for anything where security matters.
This is a good idea,and I too can see it happening in the future.
A few problems though:
1) PostIdent isn't free. You might not be paying for it, but someone is. Also that random forum you signed up for in Singapore? Doubt they're going to support password recovery via PostIdent.
2) What happens if you need to reset your login while you're travelling. I have had it happen before that a password is forgotten or not available and I really need to login (e.g. to retrieve the ticket) and a password reset to my email address is the most expedient method.
Since about half a year video ident is gaining traktion, which is basically the same but via video chat. Still not free but probably cheaper, less effort on your side and usable while travelling (as long as you don't loose your passport).
I think Revolut and some other services even use the NFC chip in passports (yes, it can be read by regular smartphones) to identify you almost automatically.
The major services that support U2F authentication now (Google, GitHub, Dropbox) allow you to associate multiple U2F keys. So, let people associate their primary key and a backup key. The keys themselves are so cheap, that they could probably be shipped with cereal boxes in a few years ;).
(If you lose the key anyway, most services currently allow you to do authentication over SMS, or use a set of backup codes.)
Such backup codes are probably the safest way to go about this. A sheet of codes that you print or write out on a piece of paper and store with your valuables.
You cannot be secure while offering easy 'backdoors' into your own account at the same time. People will just have to be more careful (e.g. by associating a backup U2F key with their account), or go through a real-world ID process otherwise (like banks typically do).
Also, for the coming years, U2F will probably just be an optional second factor like TOTP. One can only hope that more sites will follow the lead of GitHub, Dropbox, and Google, because TOTP is worthless against 'real-time' phishing attacks.
> You cannot be secure while offering easy 'backdoors' into your own account at the same time. People will just have to be more careful (e.g. by associating a backup U2F key with their account), or go through a real-world ID process otherwise (like banks typically do).
Sure, but by that logic the most secure system is offline. It's the same issue with corporate networks requiring "complex" passwords and changing of them once a month. Sure, it's technically more secure, but the end result is the office genpop writes a post-it with their current password which defeats the whole purpose.
The most secure real-world system is the one you can keep using with its designed security solutions, regardless of its (low) theoretical security level.
