About a decade ago, a broken iPhone caused me to experience how bad Google's MFA reset process was — there were multiple _years_ where the “hard landing” form triggered a flow which sent an email to an internal mailbox which didn't exist! — and while I was able to use printed backup codes after I returned home the experience left me concerned enough that I went to one of their identity group's public meetings here in DC.
One of the things which I was struck by was how unseriously they appeared to view their role in modern life. People were generally very casual about the need and were especially uninterested in anything which required them to work with outside parties.
My suggestion was that they consider a protocol where trusted civic authorities could be allowed to confirm someone's identity, which sounds like it would be useful for this case: let the person initiate a mediated reset flow where someone like a librarian, police officer, etc. could authenticate in their official capacity and check a box saying that they've confirmed the photo ID for the person standing in front of them. Most of the benefits from MFA are preventing things like phishing attacks which are also stymied by limiting it to people in your geographic area, although you might want to disable this for high-risk people enrolled in Google's Advanced Protection Program.
They'll need to be resistant to threats and bribes, so it will be difficult to have these on-site at the library.
I think we've overlooked an option. Note that the article's objection to FIDO keys was financial, not UX. This sort of confirms the hunch I got when first playing with them: "hey, the key metaphor is so strong and intuitive that these might be even better than passwords for people with low tech literacy." I held off on saying anything until their compatibility actually lived up to the hype, which IIRC only happened in 2020 (all major browsers, all major platforms, by default), but it did happen.
As for the financial barrier, yeah, it's wild that these are still $30/ea on Amazon. Can they be bought cheap in bulk? Or does the market need some aggressive new entrants? In any case, they are "near practical" and the shove needed to make them "very practical" is probably 100x smaller than, say, creating a Central Bureau of A12N.
It is not uncommon for unhoused people to lose all their possessions, so even if purchasing multiple hardware security keys wasn't a huge financial hurdle, the recovery model I use (Yubikey on my keychain, two in my safe, mail one to my parents) falls apart for those on the margins of society. If email is an essential service in modern society, recovering access to it from some first principle of identity is essential. I don't have an easy answer for how to do that, but I also don't have a trillion dollar market cap.
That's true, we still need a good last-ditch fallback. FIDO could still save a lot of people from the hard login screen, the phone number gotcha, and the need to become literate in information-keys. Last-ditch fallback becomes a lot more viable at any given expenditure level if it doesn't have to serve as the primary authentication mechanism for half of the library's elders.
The CEO of Fastmail, a company which deals directly with the ID problem as an email provider with customer service, has made some insightful comments on this:
> They'll need to be resistant to threats and bribes, so it will be difficult to have these on-site at the library.
That's why I mentioned things like APP: some people do have a threat model where that's realistic but it's a much smaller number than the people who are inconvenienced by being locked out so it seems like it'd be a net-win for most people to be able to get unlocked easily. There are also ways to mitigate some of that risk like having notifications for all actions with an easy way to report unapproved requests, geographic restrictions, enforced MFA for the civil servant (“tap your FIDO token to approve this request”), rate-limiting, etc. which are all bread-and-butter tasks for one of the major tech companies.
The other thing I think is relevant here is the degree to which things fall back on civic authorities anyway — e.g. Facebook's process where they require scans of your government ID or the various ways you can report a deceased relative. It seems to me like it'd be better to embrace that and work better together rather than pretending there isn't already a fairly large trust relationship.
How about: the library gets a few Yubikeys and offers to let people register their accounts with them as backup? So, if they get into trouble they can ask the library to unlock their account for them?
This essentially grants the librarian what they think they should be able to do.
But the next step would be to figure out how to reduce the risk that this system can be abused.
I think something like this could work iff the accounts were required to be set up by said civic authorities with confirmable paperwork. Otherwise, librarians are stuck awkwardly trying to decide if 'John Doe' really owns the email account 'ILoveButts64@gmail.com'.
I also doubt this will ever happen since it would require more $$$ for things that are not profit generating and supports a population that is useless from the tech companies' POV.
Or now that I think about it… for 2FA in particular, what about enrolling a software FIDO token with an extension on every library computer that can be triggered by a librarian from their desk? Doesn’t require hardware for each patron, only applies to accounts that have been enrolled at the library. Feels like it could work.
I think it would be fine for the library to have/be the 2ND FACTOR and the user would still need their password. Being at a physical location seems like a reasonable 2FA (more reasonable than a phone in these cases).
Could the library buy a few FIDO tokens, hot glue them into the backs of the computers, users add them as 2fa to their accounts and now the computer being wiped between users is no longer an obstacle?
- Users would only be able to use the exact same computer each time. If it’s out of order, too bad
- Users wouldn’t have unique tokens between each other, so there’s a risk of other library patrons shoulder surfing and then logging in with the same token after you
And given that a lot of the staff working those desks aren't librarians + are working part time, it's also great incentive for bad actors to get jobs in libraries specifically to start stealing that data.
That seems like a movie plot threat: who’s going to go to library school, pass a background check (government job, access to children), and actually do a job which isn’t easy and doesn’t pay anywhere near enough just in the hopes that someone will walk in the door with enough money to be worth scamming in a manner which is both obvious and easily traced to them?
I can see some value in it for scammers, hackers, and businesses that pray on the poor. (For example the 'buy now, pay later' Aaron's Rent-A-Center type businesses).
If this were discovered the library as their employer would necessarily have sufficient personal information to prosecute them. That’s a lot more risk than your typical online scammer has.
Agreed — I was thinking something along the lines of allowing you to register a government ID on your account so the process would be something like the librarian starting an assisted reset process, confirming that the ID you present matches what's on file, etc. and people with strong privacy concerns could choose to take the risk of not doing that.
It’s an absolutely catastrophic experience, that they clearly don’t take seriously.
Regulation solves this. I hate to say that, as so much of tech regulation is a ham-fisted disaster that misunderstands the problem and creates even bigger ones, but this is really a very serious problem that can ruin lives, and regulators really should step in here.
I’ve known a couple of people who have been through this experience, and one in particular who not only couldn’t get back in to their account - but had no way of knowing if someone else was able to get in to the account later. They’ll never know. It will never be possible to know. The kicker is that they could never have their data deleted due to the same problem. And no amount of help or time spent with chat support ever changed anything.
We already have that structure. It's called "court". And if you think it's not working well, I would agree with you. But neither will the other bureaucracy you are proposing, because neither really care about any of low income people who can't even pay for the phone service.
But let's put aside the efficacy of said institution, and presume it's working very well. They got call from some Joe. He claims that certain email address belongs to him, but can't prove it. Forgot password, no access to phone. What this customer service of yours going to do? Let's imagine they can order Google to give the guy access to account. Is that a right thing to do? What if that email belongs to a journalist or a whistleblower and you just gave access to it to a Russian intelligence? Remember, benefits are one thing, but it's not the only thing for which email is used.
And if it really comes down to this, why is Google under obligation to provide emails for government use? Government can provide email access to everyone who needs it. If they require email in order to access benefits, well go ahead and set up necessary infrastructure. Why Google had to do it? Google provides service on as-is basis. If that service level is unacceptable for government use, well newsflash: it's not the only provider.
If you have an Android phone, your e-mail is on Gmail. It doesn't need to be, but it is, because you didn't know that when you were funnelled into the e-mail when you set up the account and oops now that you're locked out ten years later it's too late to make a choice.
That's why I proposed linking to existing services: Google doesn't want to open an office in Podunk, but they could very plausibly setup a way to allow agencies like DMVs, libraries, maybe the VA or post office, notaries, etc. to use some kind of “I attest that person X showed me photo ID matching the information on account Y” web app. This could be really useful paired with things like senior centers whose residents are far more likely to need help.
Not necessarily. The margin is really high on Google services even though they are free.
I don’t know Google well enough to know what they would need to do to offer non-shitty service. Maybe they show more ads.
I also think they could automate good service if they wanted to, but it’s not a priority and they aren’t required. I used financial services before and after CFPB and I don’t remember price increases on my bank accounts. So perhaps something similar would apply here.
I write software at a fintech, and the CFPB regulations are super important for protecting the customer. They also give important guidance on how the customer needs to be taken care of, which is important for a company that wants to do the right thing but doesn't have expertise in customer service.
I really don’t understand how regulation makes it better? you can simply write down codes if you want a way of recovering a gmail account. Most users don’t do this because they’re not educated and they don’t understand opsec. If a government agency had the power to recover any account, it would be abused by corrupt government officials.
Remember scale when thinking of potential solutions here! it’s not just the US that would be affected by this as well. The reality is that google does a better job at identity any than US government institution (ssn, drivers license). How many people have their identity stolen versus having their 2fa protected gmail account stolen?
As far as support, how would it be better if support gave you access to an email account if you complained enough? please consider the abuse side before you suggest a solution.
Backup codes wouldn’t help here, and the person I was referring to had their 2FA to hand.
Forgetting a password is unrecoverable on gmail - they even had recovery options on the account (secondary email and phone), but the recovery form never asked for that information so it could never be used (it insisted on the previous password). As no member of staff has access to prompt the system to offer a different one of the specified recovery options, the account is permanently frozen to this user (but not potentially to an attacker in the future, assuming that other information could be obtained somehow).
Helping the elderly is hard, but Google’s system is horrifically dangerous to people in ways even Google aren’t aware of.
This was an elderly gentleman, not well versed in computers, but all the savviness in the world couldn’t have helped him. He was forced to just walk away and hope for the best. Holiday snaps, photos of grandkids, personal files - all permanently retained by Google but locked out of his reach forever.
Library op-sec is pretty weak IME. Mine accepted seeing an email of a utility bill on my phone. Which is probably fine for just checking out books.
I still love libraries and the services they provide. But wouldn't want them to be an arbiter of identity any more than a faceless, human hostile corporation.
I wonder if that's deliberate. My bank also accepted an email utility bill but they said they only ask for the utility bill to prove that you didn't make a careless mistake when entering your address.
> Mine accepted seeing an email of a utility bill on my phone. Which is probably fine for just checking out books.
I mean, I just got my `REAL ID` from California, and they accepted printed utility bills as proof of address for me. I could have easily modified the name and/or address on them before printing.
The other proof of identity I used was my birth certificate... that I was able to just order online with the only information required from me was my social security number and answering a few questions that would not be that hard to find out about someone.
Proving identity in a way that works for everyone while not allowing anyone to fake it is practically impossible.
It's supposed to be easy to get a library card! The threat of an out-of-towner getting a local library card is nothing like a stranger getting access to your inbox.
So we have come full circle: starting from a call for help from a librarian seeing lots of people unable to access their accounts because of 2FA, we have proposed various methods of avoiding that, and then concluded that it's better if 100 people are locked out of their own accounts rather than letting one unauthorized person access an account that isn't theirs? I guess that's Google's position as well, because if they let someone unauthorized log in they might be liable, whereas if they lock 100 people out they can say it's their fault...
No, I'm saying those situations aren't comparable. We should not conclude librarians will be poor stewards of MFA reset powers just because they are lax in giving out library cards.
In EU (Italy) there is eIDAS (SPID) that could allow this. It is essentially a national SSO.
Today it requires almost always a Android/iOS phone AFAIK, but it could easily be massaged to solve this problem.
The system is set up so that your account is owned by the state, and you can register with documents to providers; then after certification they run the actual SSO process.
A library provider could set up a computer that automatically passes the SSO login for your national account after certificating your identity.
Honestly this feels a bit too open to social engineering attacks, but probably there is a good middle ground.
I agree with your suggestion. I think Post Offices, DMVs, and large reputable retailers (Walmart, Target, Cellular Phone companies, etc.) could verify our identities for a small fee and help us reset our social accounts when needed. I arrived at the same conclusion and wrote a blog post about it a few years ago:
Well, good old Yahoo Mail does that. Time and time again it tries to convince me to set up 2FA (for an account I use rarely), and time and time again I say "No" - and that's it! The library patrons would probably be very happy with that...
I distinctly remember lynching from HN security crowd when SIM cards were being unlocked and moved to new people from "trusted companies" like Verizon and AT&T.
HN demanded for such security holes to be disabled and prevented - what changed since then?
What changes is that there are different needs from different segments of the world, and we have reached a problem (authentication in general) that is truly impossible to solve with our current toolset.
For me, the larger threat is that someone impersonates me and takes everything I have. If I lost my email, it would be a nightmare but I could work around significant portions of the system. For my cousin, the larger threat is losing her email, as she has no significant assets to steal but could run into every problem in the email.
There are likely people in the middle as well, and other threat vectors. (For example: caregivers committing fraud, dementia, state actors, and 20 other we could brainstorm pretty quickly.) Perhaps the right answer is that we need 20 different services that can segment. Perhaps the problem is that some sectors aren't profitable: maybe we need a grant for emails for poor people with a circle of trust.
I don't have answers. Maybe we need a collection of people to think deeply about this problem.
What changed is that we're starting to learn about the breadth of needs by people with different lives and opportunity sets, and feel at least a desire to talk through potential solutions for a subset of people who opt into it.
If the worst thing that people could commit in this discussion is hypocrisy, I'm sure they're willing to step over that line.
Walmart may be a reputable retailer, but it is utterly disreputable in being a reliable arbiter of identity. It doesn't train its employees well, its employees are often not the brightest bolts an the box, and those that are often don't give a shit.
As for post offices, they aren't eligible because half the government is actively trying to kill them.
Why would Google want to do this? Current 2FA suits its role perfectly: it prevents a large scale leak, one that would result in bad PR. There is no incentive for Google to care for individual users.
The government is slowly figuring out digital ID and will show up to regulate it.
Identity is too critical a business for services companies like Google to walk away from. It’s stupid, because once the camel gets it’s nose in the tent, it will cost them more.
a protocol where trusted civic authorities could be allowed to confirm someone's identity
This is already a solved problem, and without getting the government involved.
There are plenty of identification confirmation companies out there. If you've ever requested your credit report, or applied for a new apartment online, you've probably interacted with one.
Oh, but that's an expense. It might costs pennies per user! Google doesn't do expenses. It would rather spend money on rooms full of toys and gourmet catering than on helping people use its own products.
A credit report on John Doe doesn't prove that I'm John Doe, it only tells you whether or not John Doe is likely to pay his bills on time.
This thread, in general, is a great example of engineer hubris. It looks at a complicated problem, and all the top discussion sub-threads are highly up-voted non-solutions to it.
That doesn't show that you're that person, however, only that you've learned some trivia about them — often details which are visible on Facebook, pilferable from their mail, or known to no longer trustwothy family members & friends. My hope would be that we could find a way to reliably fall back on a government ID check since, for example, an abusive ex who knows all of those details doesn't look like their target.
In this situation, maybe one thing that could help is if the library holds on to the backup codes for patrons. So they can sort of act as a quasi trusted authority. In fact if these people can't even log in without backup codes, they can just keep their password in their wallet.
Of course, yubikeys also work very well in this situation. So the library could sell a yubikey and keep backup codes on file for in case the yubikey is lost.
Or since you can store so many identities on an individual yubikey, just give the librarians one.
- Library is a Group Administrator for patrons' Google accounts.
- Library offers its own email services to patrons.
- Library holds recovery codes (perferably under some sort of escrow).
All of these put burden on the library, of course. Though there's already a substantial burden.
There's also the issue of itenerant / mobile patrons who may only be using a library on a temporary basis or operate between several locations. How much this is a use pattern I've no idea.
The USPS offering email services might be yet another option. Points of presence in every ZIP code, often several.
Given other ongoing challenges (housing is now a full-blown crisis), the problem of mobile / indigent / precarious indivudal will only grow.
The pattern is also likely to be repeated in other global regions.
It sounds nice. if everyone plays nice. Slip some underpaid gov worker a 50 and suddenly you are someone else. There would need to be abuse provisions put in place. Then a whole org around that too. Not saying it can not be done, but it looks like to me is Google has a poor customer service issue, even if not true. Roping our govs into doing googles customer service seems odd.
It's a real concern, but how is this different from the current ink & paper scenario? I know people who use county notaries to keep important documents and we, as a society, have apparently deemed that an acceptable risk. Is the distinction the potential scope and scale of digital theft?
One of the things which I was struck by was how unseriously they appeared to view their role in modern life. People were generally very casual about the need and were especially uninterested in anything which required them to work with outside parties.
My suggestion was that they consider a protocol where trusted civic authorities could be allowed to confirm someone's identity, which sounds like it would be useful for this case: let the person initiate a mediated reset flow where someone like a librarian, police officer, etc. could authenticate in their official capacity and check a box saying that they've confirmed the photo ID for the person standing in front of them. Most of the benefits from MFA are preventing things like phishing attacks which are also stymied by limiting it to people in your geographic area, although you might want to disable this for high-risk people enrolled in Google's Advanced Protection Program.