Would you use an email service that can only be reset in person?

This was standard MO at my uni. Show up in person with ID during normal business hours and (re)set your password.

It was high friction by design. It only worked well because 98% of the entire user base lived within two miles of the IT office—and the amount of rage generated when a professor on sabbatical had to come back to campus just to reset their password was a sight to see.

I've thought about this before, and there's a fundamental problem.

If there are just a few physical locations where the reset can occur, nobody who lives far from those locations can reasonably use the service. The risk is too great.

If there are lots of physical locations, then the whole purpose of the service is defeated. There's no way to control the people working at all those locations, and surely some of them will become compromised.

I think the only solution is to somehow integrate with something like a bank or post office that seem to have already solved the problem of operating many secure retail locations.

This makes an interesting low-drama example or case study of a polarizing idea.

Everyone here either loves or hates the core idea (the core idea not the details), but it's a safe difference not religion or guns etc. People on opposite sides merely think the others are crazy or stupid not evil or inhuman.

One thing I've observed; Of the people who like the idea, they often have alterations or improvements to suggest to address various facets of it. They say "the idea is good but there is a problem and maybe that can be addressed this way ...". Of the people who don't like it, few/none are criticizing any specific facets or suggesting ways to address them to still get the core ideas' safety benefit, nor explain how the core stated benefit is not needed because you get it some other better way. They only say "god no, why? no way"

No. I like having my email service provider in a different jurisdiction than where I am geographically located so at the very least an international warrant is required for any evidentiary information. I'm not up to anything nefarious in any way, shape or form btw ... I just enjoy 'fuggin wid da man' and making their life slightly more difficult should the need ever arise :) so an 'In Person' password re-set would be out for me since international air-travel with the risk of in-flight diversion, an unscheduled stop-over diversion or flying over the ‘wrong’ country’s airspace would be unaccpetable risks but everyone has differing threat models and differing aims and objectives when it comes to security.

[Edit to Update]: It also strikes me as an excellent water-hole attack vector.... Attacker triggers a password reset and then just waits for you to show up to reset location and bam! you got your man or you can tail him back to his home and get them there. Useful against both bad guys and people with large cold wallets. Ouch (in more ways than one) but see my point above about differing threat models.

Sell it as a franchise model. Every neighborhood gets its own email server and backup, a webmail frontend, a user portal with billing and a service contract. Your franchise owners get Yubikeys or similar to authenticate themselves, and the right to fiddle with authentication for their users alone. They can set their own local prices, and provide as much or as little tech support as they want. Charge a small fee to migrate a user from one neighborhood to another. Offer neighborhood mailing lists. For a small fee, let people moderate their own lists, which don't have to be neighborhood-specific, but do have to be confirmed-opt-in; no bulk upload of subscriber addresses.

I'm definitely not the target audience for this sort of thing so take my opinion with a grain of salt, but absolutely not.

I already have an unreasonable dislike for online services that have lengthy/complex password reset processes. Being forced to show up somewhere IRL to reset my password sounds like a fever dream to me.

No. Even if the places would be as widely distributed as the postal office, I would pass. Chances are, you need to reset your password when travelling abroad.

This is how I lost my yahoo e-mail account (nearly 20 years ago): I needed to change the password after checking my e-mail in an Internet cafe (remember those?) in Italy while on vacation. This was before smart phones and there was no WiFi in the hotel (or much anywhere). The reset went through fine, but when Yahoo! asked for my age to get the temporary password, I had no idea what I told them (what, you told an Internet site your actual date of birth?) and that was that. Just what you need when travelling w/o phone service. I got a gmail account shortly thereafter (and I have a record of what lies I told them).

I have a strong sensation of dejavu right now.

Why not just ask for a notarized letter? Its about the same difficulty to forge, but won't require users to drive across the country.

I would actively avoid such a service. The recovery process sounds outlandishly punishing without addressing a real issue. Any email service competing with, say, Fastmail would first have to offer feature parity and even then a marginally better password recovery would be a secondary feature.

My country offers several national digital identification services and if you can use one of those for password recovery, well that's a feature I would find interesting with my existing mail provider.

Even with a customer coming in physically, you still need to create processes that make sure they are who they say they are, etc. There are already longstanding methods the legal industry uses to "verify identities", including notarization and medallion stamps. I would use other business's physical presence to do that heavy lifting, and focus on combining with other methods to create secure process. For example, there could be a week long waiting period to reset a password such that if there was a forged request, there would be plenty of time for the real account owner to put the brakes on.

I'd be torn between pushing customers to use their own domain name (pulling back the curtain and making registrar relationships the weakest link), and using a singular domain name that would be easier to make sure didn't get transferred etc. It might be best to decommodify and encourage customers to only use it for account addresses and not long term personal contacts. Or perhaps a mix of both, with a unified mailbox?

Not the audience for this (who's the audience anyway? can't think of any), so definitely not, but that mechanism has at least 1 major flaw:

If a password is compromised / brute forcedthe attacker will have access to the victim's e-mail (or other data) until the victim makes the time to get around to resetting the password in person, which might take a while.

This was called an LRA (local registration authority) in the PKI world, where you would delegate authority to verify the identity of users in person to enroll them. Doctors in Canada have had to do this for their network logins. Security clearance processes at different levels of govt work in a similar way, where you have to be physically present to be enrolled into a clearance, and to get a PIV card for login access to many federal systems in the US.

There is a general problem of "strong identity proofing for user enrollment" that comes up in security a lot. The invention of Zoom and other common video conference software and services that sound like truly, or whatever you are used widely for this purpose today. However, this is also what "notary public" people do as well.

Is it possible that a retail franchise model of notary services that provides LRA services to tech platforms and other companies may be the support model they are looking for? Maybe. Even though I think I would probably switch away from that email service if I had to show up somewhere to reset it, I would also go to an Apple Store to reset an appleid password - which the product manager urge sees as a way to bring people into the stores to buy things as well. Retail stores may even compete to offer other platform reset services (msft, amzn, samsung, etc.) to get people into their shops, and the platforms could convert their account reset problem into a services product with a private platform interface, for which they sell the licenses.

A SaaS for public notaries who provide notary services for things like account reactivations, identity assurance for user enrollment, front line service for the credit reporting agencies, and what are essentially appointments for compliance checks of any kind, creates a layer of corruptable low level regional administrators intermediating normal life, and that seems pretty dystopian. That said, everything seems dystopian until you run it, then it's a platform.

only be password reset in person

I like that idea. I could see something like this being partnered with brick-and-mortar banks or grocery chains. Many banks already deal with validating ID's and in some cases have free or discounted notary services for their customers. Or at least some national / international chain store. Some grocery stores already partner with banks and have a bank in a percentage of their grocery stores. I'm in the middle of nowhere but my near-by town has a bank and a grocery store.

The more I think about it, this would be more useful and scalable if it were not strictly an email service but rather an identity provider. Think SAML/Oauth provider that is highly extensible to email providers, app providers, SaaS /misc cloud providers, etc... A distributed LDAP managed by banks or grocery stores with simple and secure web front-end API's. By distributed I mean highly fault tolerant active-active in many regions and with many hourly backups in every region. LDAP can store email addresses, aliases, phone numbers and more. The management API would have to contain a distributed and highly detailed journal of who changed what, using some type of cryptographic proof.

If a person changes their email provider, app provider, cell phone provider, or anything else for that matter... then their identity follows them. They would already have in place that which they wish to share publicly and that which companies can use privately to ID them.

With retail on the way out, and lots of open space

I not so sure about the idea of picking up unused buildings. That would be a monumental cost for a single service and probably quite challenging to get funding for. Real-estate is a good investment but comes with a high burn rate insurance, maintenance, security, code compliance, etc... I think this aspect would require a remarkable business plan for investors to not be highly skeptical.

> that can only be password reset in person (using a variety of checklists to prove you're the rightful owner).

But why in person?

There's literally nothing more secure about in-person with the sole exception of biometric checks like fingerprints or iris scans -- but neither of those require the "person" part of "in-person", they're just hardware.

The only thing an "in-person" encounter will do is check your face matches an ID photo, and maybe rough height/gender/eye color. All of which could be done over a webcam anyways.

The whole question seems to rest on the premise that somehow an in-person reset is more secure (or would provide a better security-for-ease-of-use tradeoff)... and I would reject that premise entirely.

I'm a little paranoid about getting locked out of my account because what if the automated service provider thinks I'm not who I claim to be? Hence I see the advantage of being able to reset passwords in person.

What I prefer is being able to reset it online, but also having the ability to physically go somewhere and reset it in person as a last resort.

Also, wouldn't this (in-person reset only) be hard to scale beyond a certain point?

If there's a million users, and 0.1% (¯\_(ツ)_/¯) needs to reset their password everyday, that's 1000 resets everyday.

On an 8 hour workday, there's 480 minutes; you'll have to verify and reset a little more than two people every minute. Or you could hire more people, which raises costs.

This is hard to scale.

Maybe if it were more focused on using email as an identity provider for other sites.

For example, Facebook started where people needed a university-validated email address to join. This allowed there to be a one-to-one matching of account and human. While there are some ways to do KYC online, I imagine an in-person solution might help a LOT. It couid still be tied to an email address, if you wanted, as it can be easy for sites to restrict login to specific email domains. I just think for me, what I want the most as a user and especially as a site designer, is a way to more confidently prove someone's identity or at least their humanness.

Having to show up in person would be a non-starter, especially if I had to travel far or had to show up during business hours.

I'm sceptical that it would provide much more security. Do you have the skills or technology to validate physical identification (drivers' licences, passports)?

What happens if somebody has lost their laptop and identification (fire, flood, theft etc)? They don't remember their password, and they are having a difficult time proving who they are?

How are you planning on dealing with people who are angry, aggressive or even violent?

What if somebody shows up armed and threatens your staff?

Personally, I would say that not being able to get into my email (or other online services) when I needed to was a MUCH bigger problem than worrying that someone else could somehow reset it in order to take ownership.

You know that thing, you try and get into your tax return and you can't find the username that you only use once per year so you have to wait for them to send you a letter including your username (assuming your address is up to date).

Of course it's an interesting idea, but the idea hasn't been fully had yet. "A variety of checklists to prove you're the rightful owner" doesn't actually mean anything without some examples of what the checklists are going to be.

Put another way, what does "security through obscurity" refer to? Why do we only use cryptographic methods that are totally explained, rather than those that keep their procedure secret?

I actually like the idea of improving security, especially for my main email on which many other identities depend, also for their password resets. Not sure how it would be implemented, perhaps tying it into the national id system or something (where available)? It does seem that any account important enough to warrant this level of security should also have excellent customer service/availability/emergency procedures.

Online IAM is hard.

this doesn't quite solve the problem, though. this prevents a user from getting locked out of their own email by an attacker, but doesn't do anything to prevent an attacker from gaining access in the first place -- the root of trust, the password, is just as fragile as it was before (potentially more fragile, because the added friction discourages changing the password on a fixed schedule).

i would, however, be interested if such a service (somehow) used a public/private identity key model, rather than a username/password model. a fully password-less service, with key registration done in-person. implemented correctly, this would be a dramatic improvement on the status quo in terms of email account security.

the fundamental flaws with email as a secure communication channel still remain; these would still make me hesitate. ultimately, i'd reluctantly pay for it because using the web forces me to maintain a secure email account and this would be the easiest reliable way to do so.

(side question: imagine you discover your password was compromised late friday night. do you need to wait until monday to re-secure your account?)

I would not like to have to interact with an "IT" department for my personal email.

I would not like my email service to store the required personal information to prove who I am.

I would not like to give away personal information to some poorly trained stranger / I would not want to pay whatever the ridiculous cost it is to have 1000s of people employed for this completely automatable job - I don't want to live in Japan.

Probably not, unless you can explain the advantages. I mean, it could protect my account from most of (all?) the automated and remote attacks, but frankly I won't be happy to have to get out of my home to reset a password. It's too similar to have to walk into a bank to sign some paper instead of doing it from home.

Any big good reason I didn't think about?

Yes, I'd actually prefer this.

BUT: The devil is in the details. How far will I need to travel to reset my email password? How diligent will the people be in verifying that I'm who I claim I am? How easy will it be to impersonate me and take over my account?

Personally, I think something like this needs to gravitate towards a government service.

Not really. People that need this feature already have it (in a way) - in a given scope (government agencies, universities, some corporations & private companies etc). 99.999% of people simply don't need that level of security. How currently things work is fine balance between UX and security, minimal friction.

I misread that as “in prison” and was briefly very confused about what kind of shady business model you were planning.

Alongside simple banking, this is a service that should be offered, for free, by the US Post Office.

I could be interested in this, but would have to be from a reputable company, not a small startup. The weak link in my security is SMS which most online accounts rely on, so until that problem is fixed the email is a secondary issue.

Just use one of AWS's medallion contracts and stake a large amount of money on it. At a big enough scale, the bank can do way better KYC and identity verification than you. Plus there are more bank offices around.

If this service magically has convenient locations in every urban area in the world then maybe.

And what would this checklist entail? How would a random store employee be able to verify my identity?

That would be pretty neat (not only email but other online stuff) if multiple locations were considered.

I don't think someone would travel to a different city/country for this.

I might use something like that. My email and password manager are both really important to my identity online. Maybe you could do email and password management?

I recently ditched a bank for having this issue after I had to drive 700 miles to reset my password.

Maybe if that email service was run by usps or something I would consider it.

I can't imagine what sort of hell a person would have to be going through to see this as something they would be willing to pay for.

I would be somewhat surprised if anyone at all would.

I'd rather not use email at all if I can help it.

I'd rather have an email service that has no password reset functionality. If I lose my private key, lock me out forever.