Imagine an alternate universe where big tech companies worked with various trustworthy third-parties where something like this would generate a challenge you could take to your local notary, post office, library, police station, etc. where someone would check ID before approving it. How many phishing attacks would be prevented annually by a physical presence check?
Isn't this essentially what just recently happened to the Pope? Then there were people here doing the rest of your comment for him saying how egregious it was for them to ask for an in person authorization. It sounded like all he was trying to do was update his address, but changing your address from one in Chicago to one in a European country absolutely sounds like something a phisher would be trying to do.
I expect his Holiness might agree.
https://www.theverge.com/2013/5/2/4292744/facebook-trusted-c...
The cost of hiring a person is part of it but not really the core reason. People were sold on the Internet with "you can do things online conveniently" and reintroducing the need to physically go somewhere negates that angle entirely.
I do think friction causes a reflexive resistance to the idea but I think that might be an overreaction. This is a rare thing people should be doing no more than a few times in their life.
But how often does one need to do recovery procedures like this?
How much less convenient is it for everyone else to be at risk of their account being taken over?
The least terrible seem digital id.
How many bank tellers or USPS employees do that, though? It’s possible but quite rare because people know they’ll be running a big risk of being caught and no individual transaction is worth that much.
If you ever need to interact with the service again, you initiate account recovery using a combination of your contact info and some codes printed on your monthly bill.
I don’t recall why I had to go through this song and dance. Very plausibly the account was still associated with an old school address that I could no longer access. So yeah, account recovery is hard. How do you prove someone owns an account when they’ve lost the things they are supposed to use to prove ownership?
https://pages.nist.gov/800-63-4/
I think Meta just does not care if they're enabling AI attack surface and vulnerabilities into these customer journeys. It's...certainly a choice, versus deterministic journeys with hard guardrails. They could make different choices.
That only works because you presumably do KYC when you open accounts, so you have an identity to match to. Most internet accounts don't do real KYC, so a government credential doesn't really work for recovery --- they didn't know who you were, so proving who you are doesn't help anything.
That doesn't mean that letting anyone sweet talk support or an AI into taking over an account is acceptable, of course.
My point is that while this is not easy, there are obvious very bad ways to implement this that should not be done (chatbot or other generative AI interface vulnerable to the usual suspects of AI inherent attack surface). Don't build the bad way, the right away is known and straightforward.
It's an impressive level of incompetence.
Broadly speaking, work for the sake of work is not valuable work. Show me outcomes for resources and time invested, and compare accordingly. Value is, again broadly speaking (there is always nuance), what you deliver. If you bring me an AI solution for a high risk high value customer journey, data flow, or code path, that is an anti pattern. If you, as a colleague or a stakeholder, put forth that we must use AI in situations that require a high degree of determinism (due to potential high cost failure modes), you will need to prove this extraordinary claim with evidence.
Choose Boring Technology - https://news.ycombinator.com/item?id=9291215 - March 2015 (212 comments) ["Am I using this project as an excuse to learn some new technology, or am I trying to solve a problem?"]
I get paid to manage risk efficiently, including being measured on time and budget spent against the success criteria, ymmv; my comp and budget is not dependent on how much AI I shove into security systems. "What am I optimizing for?"
Amazon scraps AI leaderboard to stop workers chasing usage scores - https://news.ycombinator.com/item?id=48315583 - May 2026 (19 comments)
I am very curious about the actual number of users of login.gov.
I am a US citizen and my experience was … negative to the point of actively avoiding it.
"Login.gov has surpassed 100 million registered user accounts. The platform facilitates over 300 million sign-ins annually and sees more than 10 million monthly active users, acting as a secure single sign-on solution across nearly 50 federal, state, and local agencies."
https://www.login.gov/partners/faq/
(It is the primary identity provider for Social Security Administration, IRS will eventually adopt it [1])
[1] IRS to adopt Login.gov as user authentication tool - https://news.ycombinator.com/item?id=30430851 - February 2022 (182 comments)
I recently tried to access my google account on a new browser install. Google did not believe my login/password was sufficient, and insisted on me surrendering my phone number:
> To help keep your account safe, Google wants to make sure it’s really you trying to sign in [...]
> Enter a phone number to get a text message with a verification code.
I have never given my phone number to Google for that account (I have a separate account on my Android phone).
So how on earth this will "make sure it's really you" I have no idea.
I am unable to access Google from my new browser install so am stuck with using my old one for anything which requires a Google login.
I guess at some point I'll try and resolve it by adding a recovery email or something, but.. my inclination is to throw Google and the account in the trash right now.