They physically hand you an identity token on a physical $2 2fa device if you give some evidence you live nearby. You can put down the deposit or hand over the device for an old id which is cleared and reused.
It's traceable to the post office but no further, nothing is recorded other than that the token is deployed and roughly when.
Local communities can be responsible for cleaning up local messes. No need for the scammers two cities over to effect your reputation. No need for a corrupt employee handing out tokens to effect the reputation of the token you got ten years ago.
So every country in the world should simultaneously roll out this $2 2FA token?
And the governments of the world are going to do this is an anonymous way?
Who is going to manufacture these 8 billion (Or at least 3 billion if we only count Facebook's MAU) tokens?
And there still needs to be a global database of valid identifiers, else anyone could just create a software token that they can reprogram ever second.
And we expect all people to carry these 2FA tokens perfectly?
And what happens when someone looses this token? The post office has way to prove you owned that token in your proposal.
Same thing for revoking a token. There is no identity out of the token, so how do you revoke it after it is lost? People are not willing to store a piece of paper in a security deposit box.
You're projecting use cases that weren't proposed.
The only purpose is to provide evidence of not being a bot. Not to log in or verify identity. You don't need a server or proof that a particular token is owned by a particular person, just a cert chain and a list of postcodes with current public keys. The post office has a private key. They sign a message saying 'the holder of this token walked into the store'. Let servers make whatever judgements they wish about the chain's credibility. If a particular key signs lots of bots then you know where to look for the source of the bot farm and the people that live there know where to look to fix their reputation.
It doesn't need to roll out simultaneously. Just be an alternative to captcha that isn't as abusive as device attestation.
The manufacturers will be the same ones that manufacture the hundreds of billions of usb drives and phones and smart light bulbs.
The only problems are it's not as useful for abusing users or spying on citizens as revoking access to general purpose computing, and idiots who project problems onto it that come from use cases that are not proposed or say 'big number make thing impossible'.
Go down to your local post office.
They physically hand you an identity token on a physical $2 2fa device if you give some evidence you live nearby. You can put down the deposit or hand over the device for an old id which is cleared and reused.
It's traceable to the post office but no further, nothing is recorded other than that the token is deployed and roughly when.
Local communities can be responsible for cleaning up local messes. No need for the scammers two cities over to effect your reputation. No need for a corrupt employee handing out tokens to effect the reputation of the token you got ten years ago.