upvote

points

by SoftTalker1 days ago |
comments
upvoteby StilesCrisis23 hours ago|
next
[-]
It's worse than "forgetting." Having seen older folks just set up new accounts for a move, they make zero attempt to even try to keep them! Oh, the phone company needs a login/pass? Just type in anything, don't write it down. If something goes wrong, they're going to call in anyway, not use the website.
reply
upvoteby throwaway1737385 hours ago|
parent|
next
[-]
A lot of utility companies including Comcast used to not have a flow for “moving” and so you’d get a brand new account with a comcast email every time you moved to a new address. In a lot of cases the techs would just set it up for you as part of the install and give you the password. It’s only in the last 10 years they added anything like that. I have 3 or 4 different obsolete accounts with them where my actual email is the contact email from that time and some of their online systems will reset the wrong password and stuff like that.
reply
upvoteby kijin14 hours ago|
parent|
prev|
[-]
One-time logins actually sound useful for things like setting up utilities for a house. Sign up, log in, do whatever you need to do, log out and the account is immediately locked. Nobody expects you to log back in anytime soon, anyway.

If you ever need to interact with the service again, you initiate account recovery using a combination of your contact info and some codes printed on your monthly bill.

reply
upvoteby dpark1 days ago|
prev|
next
[-]
I had to go through the account recovery on my Facebook account once and the proof they demanded was that I match a bunch of pictures of friends to their names. I think it took 3 tries over multiple days to actually get it unlocked because it turns out I such really remember a lot of the people I met 20 years ago and friended on Facebook.

I don’t recall why I had to go through this song and dance. Very plausibly the account was still associated with an old school address that I could no longer access. So yeah, account recovery is hard. How do you prove someone owns an account when they’ve lost the things they are supposed to use to prove ownership?

reply
upvoteby toomuchtodo1 days ago|
prev|
[-]
I manage customer identity and access management ("CIAM") for a financial services firm. Passkeys are primary, recovery can be performed by providing a government credential remotely (which costs us ~$2-3 per recovery). I do not think it is hard, based on what we have built and spent to enable these capabilities. NIST Special Publication NIST SP 800-63 Digital Identity Guidelines is a helpful resource on this topic.

https://pages.nist.gov/800-63-4/

I think Meta just does not care if they're enabling AI attack surface and vulnerabilities into these customer journeys. It's...certainly a choice, versus deterministic journeys with hard guardrails. They could make different choices.

reply
upvoteby toast01 days ago|
parent|
next
[-]
> recovery can be performed by providing a government credential remotely

That only works because you presumably do KYC when you open accounts, so you have an identity to match to. Most internet accounts don't do real KYC, so a government credential doesn't really work for recovery --- they didn't know who you were, so proving who you are doesn't help anything.

That doesn't mean that letting anyone sweet talk support or an AI into taking over an account is acceptable, of course.

reply
upvoteby toomuchtodo1 days ago|
parent|
[-]
It's a fair point, and can be solved for as part of the "Verified" offerings Meta offers. This binds IRL identity to the digital identity at verification for future identity assurance step up (including if and when recovery is required). Failing that, TOTP, SMS, and even mailing an OTP to a mailing address remain low friction auth factors (with, of course, various levels of security).

My point is that while this is not easy, there are obvious very bad ways to implement this that should not be done (chatbot or other generative AI interface vulnerable to the usual suspects of AI inherent attack surface). Don't build the bad way, the right away is known and straightforward.

reply
upvoteby macintux1 days ago|
parent|
prev|
[-]
I’d wager your range of tech literacy/capabilities for your firm is much narrower than big tech.
reply
upvoteby econ23 hours ago|
parent|
next
[-]
Someone gained access to a Instagram account (belonging to a business by the same name) connected to a fb account (by the same name) that they still had access to. The only thing fb could do was terminate the Instagram for impersonation.

It's an impressive level of incompetence.

reply
upvoteby toomuchtodo1 days ago|
parent|
prev|
[-]
Range != value, depending on use case. Doing more poorly does not make something better. Our customer identity capabilities are very close to login.gov (we don't have to support hundreds of agency customers and common access cards), and if its good enough for ~342M Americans, its good enough for our customer base.

Broadly speaking, work for the sake of work is not valuable work. Show me outcomes for resources and time invested, and compare accordingly. Value is, again broadly speaking (there is always nuance), what you deliver. If you bring me an AI solution for a high risk high value customer journey, data flow, or code path, that is an anti pattern. If you, as a colleague or a stakeholder, put forth that we must use AI in situations that require a high degree of determinism (due to potential high cost failure modes), you will need to prove this extraordinary claim with evidence.

Choose Boring Technology - https://news.ycombinator.com/item?id=9291215 - March 2015 (212 comments) ["Am I using this project as an excuse to learn some new technology, or am I trying to solve a problem?"]

I get paid to manage risk efficiently, including being measured on time and budget spent against the success criteria, ymmv; my comp and budget is not dependent on how much AI I shove into security systems. "What am I optimizing for?"

Amazon scraps AI leaderboard to stop workers chasing usage scores - https://news.ycombinator.com/item?id=48315583 - May 2026 (19 comments)

reply
upvoteby fn-mote22 hours ago|
parent|
[-]
> [login.gov] if its good enough for ~342M Americans

I am very curious about the actual number of users of login.gov.

I am a US citizen and my experience was … negative to the point of actively avoiding it.

reply
upvoteby toomuchtodo22 hours ago|
parent|
[-]
> I am very curious about the actual number of users of login.gov.

"Login.gov has surpassed 100 million registered user accounts. The platform facilitates over 300 million sign-ins annually and sees more than 10 million monthly active users, acting as a secure single sign-on solution across nearly 50 federal, state, and local agencies."

https://www.login.gov/partners/faq/

(It is the primary identity provider for Social Security Administration, IRS will eventually adopt it [1])

[1] IRS to adopt Login.gov as user authentication tool - https://news.ycombinator.com/item?id=30430851 - February 2022 (182 comments)

reply
upvoteby plasma_beam18 hours ago|
parent|
[-]
I have multiple login.gov accounts. They don’t let you change your primary email, so if you’re using corporate account and switch jobs the normal thing is to create new accounts. I’m sure this is padding their numbers.
reply
upvoteby toomuchtodo1 hours ago|
parent|
[-]
If you must use login.gov for Social Security, and you will eventually be required to use it for the IRS (and everyone who has a US tax liability), I think the numbers are somewhat irrelevant. Almost everyone over the age of 18 will be a customer of it (for federal tax and benefits logistics). It is the idp you must use, and again, it is good enough (based on all available evidence).
reply