It's a tough problem, because people forget passwords, change phones, lose access to 2FA devices, but still need to use their accounts.

▲

StilesCrisis 4 hours ago | parent | next [-]

It's worse than "forgetting." Having seen older folks just set up new accounts for a move, they make zero attempt to even try to keep them! Oh, the phone company needs a login/pass? Just type in anything, don't write it down. If something goes wrong, they're going to call in anyway, not use the website.

▲

dpark 5 hours ago | parent | prev | next [-]

I had to go through the account recovery on my Facebook account once and the proof they demanded was that I match a bunch of pictures of friends to their names. I think it took 3 tries over multiple days to actually get it unlocked because it turns out I such really remember a lot of the people I met 20 years ago and friended on Facebook.

I don’t recall why I had to go through this song and dance. Very plausibly the account was still associated with an old school address that I could no longer access. So yeah, account recovery is hard. How do you prove someone owns an account when they’ve lost the things they are supposed to use to prove ownership?

▲

toomuchtodo 5 hours ago | parent | prev [-]

I manage customer identity and access management ("CIAM") for a financial services firm. Passkeys are primary, recovery can be performed by providing a government credential remotely (which costs us ~$2-3 per recovery). I do not think it is hard, based on what we have built and spent to enable these capabilities. NIST Special Publication NIST SP 800-63 Digital Identity Guidelines is a helpful resource on this topic.

https://pages.nist.gov/800-63-4/

I think Meta just does not care if they're enabling AI attack surface and vulnerabilities into these customer journeys. It's...certainly a choice, versus deterministic journeys with hard guardrails. They could make different choices.

▲

toast0 5 hours ago | parent | next [-]

> recovery can be performed by providing a government credential remotely

That only works because you presumably do KYC when you open accounts, so you have an identity to match to. Most internet accounts don't do real KYC, so a government credential doesn't really work for recovery --- they didn't know who you were, so proving who you are doesn't help anything.

That doesn't mean that letting anyone sweet talk support or an AI into taking over an account is acceptable, of course.

	▲	toomuchtodo 5 hours ago \| parent [-]
		It's a fair point, and can be solved for as part of the "Verified" offerings Meta offers. This binds IRL identity to the digital identity at verification for future identity assurance step up (including if and when recovery is required). Failing that, TOTP, SMS, and even mailing an OTP to a mailing address remain low friction auth factors (with, of course, various levels of security). My point is that while this is not easy, there are obvious very bad ways to implement this that should not be done (chatbot or other generative AI interface vulnerable to the usual suspects of AI inherent attack surface). Don't build the bad way, the right away is known and straightforward.

▲

macintux 5 hours ago | parent | prev [-]

I’d wager your range of tech literacy/capabilities for your firm is much narrower than big tech.

▲

econ 4 hours ago | parent | next [-]

Someone gained access to a Instagram account (belonging to a business by the same name) connected to a fb account (by the same name) that they still had access to. The only thing fb could do was terminate the Instagram for impersonation.

It's an impressive level of incompetence.

▲

toomuchtodo 5 hours ago | parent | prev [-]

Range != value, depending on use case. Doing more poorly does not make something better. Our customer identity capabilities are very close to login.gov (we don't have to support hundreds of agency customers and common access cards), and if its good enough for ~342M Americans, its good enough for our customer base.

Broadly speaking, work for the sake of work is not valuable work. Show me outcomes for resources and time invested, and compare accordingly. Value is, again broadly speaking (there is always nuance), what you deliver. If you bring me an AI solution for a high risk high value customer journey, data flow, or code path, that is an anti pattern. If you, as a colleague or a stakeholder, put forth that we must use AI in situations that require a high degree of determinism (due to potential high cost failure modes), you will need to prove this extraordinary claim with evidence.

Choose Boring Technology - https://news.ycombinator.com/item?id=9291215 - March 2015 (212 comments) ["Am I using this project as an excuse to learn some new technology, or am I trying to solve a problem?"]

I get paid to manage risk efficiently, including being measured on time and budget spent against the success criteria, ymmv; my comp and budget is not dependent on how much AI I shove into security systems. "What am I optimizing for?"

Amazon scraps AI leaderboard to stop workers chasing usage scores - https://news.ycombinator.com/item?id=48315583 - May 2026 (19 comments)

▲

fn-mote 3 hours ago | parent [-]

> [login.gov] if its good enough for ~342M Americans

I am very curious about the actual number of users of login.gov.

I am a US citizen and my experience was … negative to the point of actively avoiding it.

	▲	toomuchtodo 3 hours ago \| parent [-]
		> I am very curious about the actual number of users of login.gov. "Login.gov has surpassed 100 million registered user accounts. The platform facilitates over 300 million sign-ins annually and sees more than 10 million monthly active users, acting as a secure single sign-on solution across nearly 50 federal, state, and local agencies." https://www.login.gov/partners/faq/ (It is the primary identity provider for Social Security Administration, IRS will eventually adopt it [1]) [1] IRS to adopt Login.gov as user authentication tool - https://news.ycombinator.com/item?id=30430851 - February 2022 (182 comments)