Comment by alwa

Comment by alwa a day ago

8 replies

View on Hacker News

I for one would appreciate the option to put an ID on file ahead of time, at least for important stuff like this. I like digital-only accounts for play, but for work stuff with real-world consequence, I’d like to link it to a real-world identity system…

Not unlike the signature cards banks used long ago, I guess.

Sure, maybe somebody motivated could defraud the government into issuing them a replacement ID in my name. But that’s big boy crime, not a casual “bribe a retail employee to SIM swap” kind of undertaking.

Sure, there are issues of access to government ID systems, and I know anything touching government names / “show me your papers” raises hackers’ hackles—I’m not saying require it, just that I’d choose it if it were a MFA option of last resort.

eterm a day ago

That's how you turn 2fa into single factor authentication ( The ID ).

GitHub is such a large attack vector for the whole planet, that I understand their stance.

GitHub support a "recovery code" more secure than government ID. Print it out, store on USB, store on QR, etc, and stick it in at least one secure safe.

Reply View 0 replies
nerdsniper a day ago

The issue is less about having an ID on file, and more about verifying ID. In a world of excellent real-time deepfakes, how would GitHub verify ID at scale?

A fake ID is pretty easy to create, along with a fake face for a video chat where you can hold up your fake ID.

Reply View 2 replies
  • alwa 12 hours ago

    I think that part is made easier by the fact that I uploaded the ID in the first place under fully trusted conditions.

    If I have the same physical piece of ID—as I imagine OP might have, upon release from prison—then they can directly compare it to the copy that I supplied previously. Scuff marks and specific document numbers included. I think that probably even scales.

    If I lose access to my main identity document, one advantage of government ID is that I’ll urgently have it reissued. In most of the places I’ve lived, that’s the kind of thing you can validate against either the underlying authority or a sleazy-but-reasonably-accurate data broker. But in either case it’s out-of-band from my relationship with the tech company, in a way they can validate by semi- or fully-automated means, and with reference to an independent authority.

    If somebody wants to physically mug me to steal my ID for access to my GitHub, I figure I’m pretty much out of luck—to paraphrase James Mickens [0], Mossad’s gonna Mossad.

    [0] https://www.usenix.org/system/files/1401_08-12_mickens.pdf

    Reply View 0 replies
  • filearts a day ago

    An idea might be to require a financially meaningful deposit to pursue an account recovery like this. The deposit would be forfeit if the identity verification failed.

    Though now that I write this, it creates a perverse incentive for a company to collect deposits and deny account recovery.

    Reply View 0 replies
joshmn a day ago

> I for one would appreciate the option to put an ID on file ahead of time, at least for important stuff like this.

I'm at that point of agreement. I don't want to say "national SSO ID" because that can get really Orwellian obviously. Being able to put an ID on file is a reasonable ask.

Reply View 3 replies
  • em-bee a day ago

    a passport is orwellian? i don't really get this fear of government issued IDs. if your government is so bad that it will abuse IDs for surveillance, then your government is the problem, and not having a national ID is not going to protect you.

    Reply View 2 replies
    • xp84 a day ago

      Someone explained this to me the other day in a way that helped me understand the concern better.

      Not already having a ton of easy and effective choke points on the whole citizenry (which such a card would eventually grow into due to its usefulness) is a safeguard against wannabe tyrants being confident they can crush dissent easily and thus to them seizing power in the first place. Just like I wouldn’t steal a car with a manual transmission because I know I wouldn’t be able to drive it successfully, and certainly not well enough to outrun the consequences.

      If I were a fascist I’d be a lot more brazen if I knew that I could switch off every dissenter’s ability to travel, work, or even buy food, in an instant.

      Reply View 1 reply
      • shermantanktop 21 hours ago

        What if you were a fascist who exercised influence over Experian and TransUnion, the airlines, and of course the TSA? The horse has left the barn already.

        Reply View 0 replies