> You open your safe and you use one of the recovery codes that you wrote down when you setup 2FA.
HN rarely does humor, but when it does, it really cuts deep.
Can you really expect a typical person - including the tech-savvy ones - to keep a hastily written piece of paper for a decade or more, without losing it? My code card is clocking on a decade, I needed it only once (so far), and it's only pure luck that, in all those years, I haven't accidentally destroyed it or thrown it away.
Also: it only recently became apparent just how bad it is to lose access to your Google account. Most tech-savvy people I know don't even realize how many things in their lives are gated by that little login form. Non-tech-savvy folks? Maybe they'll figure it out in a decade, after enough people became thrust into poverty for the lack of Google 2FA recovery codes - enough many that it's as boring news story as car accidents.
Where do you keep your passport, if you have one? Your birth certificate? Any other important papers you have?
No, it's not reasonable to expect everyone to be well organized. Life can be chaotic. People lose stuff. We know this. Some people are so unfortunate as to lose all their stuff. Repeatedly. The level of organization people have varies extremely.
But I do expect there are hundreds of millions of typical people with houses and sufficient organization to hang onto to their important papers, and it's a good idea to add your backup codes to your other important papers. It's good advice, though not always applicable.
Absolutely. Primarily because a passport comes out of process mediated by multiple humans for whom that is their only responsibility. It's a matter of few hundred dollars and a couple weeks to replace it.
I don’t know about replacement but there are lots of delays currently for US passports:
> The processing time for routine applications is taking from 10 to 13 weeks up from six to nine weeks for those who applied before Feb. 6, the State Department said.
> Expedited processing, which costs $60 more, is taking seven to nine weeks, an increase from three to five weeks.
That's pretty absurd and definitely not how long it takes in all countries - but still probably quicker than recovering a Google account which you might not be able to do at all.
All those important papers have recovery processes. It might involve a judge or signing documents in front of stern officials or having friends and family vouch for you, but governments and financial institutions and telcos can do it because they have to. Because life happens, and we can't always control it. But for online services, with no responsibility of care, it is easier to just lose customers than provide robust processes and accept the responsibility of letting you prove who you are. You can be homeless and ID less and still bootstrap all the important stuff, except your email and all the things that require email for recovery.
This is pure speculation and not practical advice, but if you were trying to get in to your accounts from a 'starting from nothing' situation, I wonder if you could get a passport etc. and then make a GDPR request for your data from google?
Obviously you wouldn't be able to get in to your account to use google's built in tools because you wouldn't have access, but if you sent a letter to their legal team with proof of your identity then they would be obliged to process the request by law (as I understand it).
This might (should) get you your data but that data won't include your passwords which (presuming basic competence) Google doesn't store. This means that you are still locked out of many things. The data might also not be in a format useful to laymen and will probably be incomplete in some way, e.g. excluding data you had access to with that account but isn't your in Google's opinon data like shared documents.
Google would need to know that remus@gmail.com belonged to the person making the GDPR request, or it would be an attack vector. From the providers point of view, you are asking for a copy of your data and data about you, and they are not going to give out data that might be yours. Maybe if you had linked a phone number, but even that is arguable.
> Where do you keep your passport, if you have one?
Nearby, 'cause I travel semi-frequently. Otherwise, in one of few designated drawers. I only kind of care, because replacing it isn't hard, just annoying - and I don't need my passport to get a replacement one.
> Your birth certificate?
Wherever. I don't care. If I need it, I can file a form, pay a small amount, and get arbitrary number of copies from the local government branch.
> Any other important papers you have?
The only important paper I store safely is the booklet the military gave me when I turned 18, related to then obligatory military service (which I didn't go to because of minor health issues). I only worry about tracking it because I don't know the process to replace it, and the military is Serious Business - but then, I'm sure the process exists. Also, I don't worry much, because chances I'll actually need it for something are nil (if shit hits the fan so much that I'll get called into service, nobody will care about that booklet - they'll hear me speak fluent Polish, they'll give me a gun and send to the meat grinder).
Also, relevant: most of the important documents - like my national ID (replaced twice over the past few years), passport, contracts, etc. - have an expiry date on the order of 10 years or less. My Google 2FA codes already existed for more, and I expect them to be valid for the next 10 years too.
I do quite a lot of tech support for older people and would add that forgetting passwords isn't the only issue, an even larger issue is people not understanding passwords at a conceptual level.
Try as I might, my mother doesn't understand the difference between an iPad device PIN, an Apple ID (rarely needed), her email password on this same device (Google-based in this case) and add a few dozen more.
All she knows is the device in her hand. The abstract model we have where we separate device, service, app, web page, different companies...simply does not exist for her, it does not compute. So even if she'd have the discipline to write down things, it would still not work. She doesn't even grasp what part is asking for what.
There's a reason big consumer services like Google and Facebook have not enforced 2FA: a vast population will severely struggle understanding what the hell it is and what to do.
Even when you do enable 2FA on Google yourself, it runs in "soft mode". It doesn't ask for 2FA for previously trusted devices/locations. Surely for good reasons.
> All she knows is the device in her hand. The abstract model we have where we separate device, service, app, web page, different companies...simply does not exist for her, it does not compute. So even if she'd have the discipline to write down things, it would still not work. She doesn't even grasp what part is asking for what.
So passkeys would be very practical for her if I'm understanding you correctly.
This is why I don’t like when people outright dismiss SMS as suitable second factor. Yes, it has problems, but it also has a recovery mechanism that is accessible for ”ordinary peope”.
The best solution (for me) would be to connect the Google Account to my government issued identity and utilize the strong authentication provided by government for account recovery.
I've been joking about a need for "notary factor" for a long time. There's an existing, deep and distributed network of notaries public that could be reused for stronger authentication in the modern world. In classic banking if you had a recovery problem you could send certain types of notarized letters to get stuff done. It was slow: however long it took to prepare the letter, find a notary public to get it notarized, and then presumably snail mail it to its destination. But sometimes slow is better: if someone is trying to steal my account, if they need to get the right forms notarized and mailed to the right PO Box, there are many steps along the way where I can intercede or a notary public can interject ("I won't notarize this because my ethics do not allow it.") or presumably human recipient at a PO Box can reject the mail for any number of violations or failures of documentation.
I think it would be great if the recovery mechanism for "ordinary people" took about the same amount of time as a notarized letter. In that worst case where you are locked out of your account for a week or two it won't feel great, but it also helps you feel better that some jerk trying to steal your stuff can't do it any faster either.
There are all kinds of fun technical things that could be used to actually build interesting "notary factor" tools. I think tech companies mostly reject how cool it could be to build because they see "slow" as a "bug" rather than a "feature".
> "I won't notarize this because my ethics do not allow it."
I heard those words uttered at my bank one day, and I became furious. I'd been using, in good faith, a licensed notary at a shipping store, and it turns out he'd been notarizing any damn thing I wanted without regard for proper form.
I had been extremely naive about notary publics, and when I ran into one with ethics, it cast the sketchy dude into sharp contrast.
Thankfully I've had no legal repercussions due to the invalidity of illegally notarized documents in the past, and I haven't needed to notarize something in a while since then.
In France there's L'identité Numerique by the Post Office where they provide you a digital identity, verified in person by a post office employee which you can then use to authenticate to various services.
EU ID cards also come with biometrics and NFC included, so they can be used to prove your identity digitally (there was a concept in France for an app that reads the NFC, makes you take a video selfie to confirm it's the same person, and then uses that to securely verify your identity)
I agree with this so much. As someone who has had a fair share of notorial interactions, it's low hanging fruit that notaries are not being used to authenticate users.
It could even be a means of fighting spam/bots while maintainh anominity.
It could be suitable, within certain boundaries, but no, given that sim swapping just means bribing (or simply social engineering with a crude fake ID) a minimum wage worker at a mall store, anyone whose identity is worth more than $50 to steal should never even consider it.
For example, if it could only be initiated from a browser where you have successfully signed in on at least two different days, or from a residential IP where you were seen recently.
I would much rather see a mailed postcard, as the last-resort fallback to a TOTP. Better to be locked out of your account for 4 days waiting for the mail, than to be locked out of it indefinitely while the criminal has full access.
> my government issued identity and utilize the strong authentication provided by government for account recovery.
Yes, that seems so obvious and yet to my American ears it sounds almost like science fiction. People here unironically argue that a national ID card is the Mark of the Beast from the Bible.
> I would much rather see a mailed postcard, as the last-resort fallback to a TOTP. Better to be locked out of your account for 4 days waiting for the mail, than to be locked out of it indefinitely while the criminal has full access.
The homeless can receive mail. General Delivery, mail addressed to them care-of some charity organization or shelter, any family or friend.
Mail forwarding is a thing for those who move, although TBH it would be prudent to use the "Do not forward" option on this, as mail forwarding itself is prone to fraudulent usage.
I guess if you've moved, you would need to mail them proof that you lived at the old address and that you live at the new address. I had to do that to claim unclaimed property with the state -- I had to send them some old bills or legal documents showing the old and new addresses.
SMS as a second factor is not bad - it has problems, but those shouldn't make the security worse than no second factor and strictly higher in most situations. The problem is that giving a company your number risks them letting an impostor use it as the only factor or in combination with useless "secrets" like publicly available personal data. This has happened often enough that you have to assume adding a phone number to your account makes it less secure.
> Can you really expect a typical person - including the tech-savvy ones - to keep a hastily written piece of paper for a decade or more, without losing it?
Personally, I keep these in my password manager. My password manager is offline-only, and the database is regularly backed up, so this makes sense for me.
What you're describing already happened. When Google turned on 2FA for everyone, every librarian in the country was inundated by homeless people and old people who had just been summarily evicted from the Internet.
You have that thumb drive backed up? Because thumb drives can, occasionally, spontaneously fail, for no apparent reason whatsoever, and the fire-proof box isn't going to help (hell, it may make matters worse if futzing with it generates ESDs).
Also: where do you keep the encryption key for that thumb drive?
HN rarely does humor, but when it does, it really cuts deep.
Can you really expect a typical person - including the tech-savvy ones - to keep a hastily written piece of paper for a decade or more, without losing it? My code card is clocking on a decade, I needed it only once (so far), and it's only pure luck that, in all those years, I haven't accidentally destroyed it or thrown it away.
Also: it only recently became apparent just how bad it is to lose access to your Google account. Most tech-savvy people I know don't even realize how many things in their lives are gated by that little login form. Non-tech-savvy folks? Maybe they'll figure it out in a decade, after enough people became thrust into poverty for the lack of Google 2FA recovery codes - enough many that it's as boring news story as car accidents.