
2FA using a postcard - edent
https://shkspr.mobi/blog/2017/06/2fa-using-a-postcard/
======
SingAlong
Google uses a postal-card OTP for Google MyBusiness service, to verify address
for business listings. That is how you create Google Maps and Google Plus
pages [https://business.google.com](https://business.google.com)). They again
re-verification if the business address changes.

I think it is a very smart & less cumbersome way to verify physical address.

------
djhworld
I agree with the comment that the email hint is totally unnecessary, and the
ambiguous 3 day expiry window is too confusing in an world where post might
take 1 - 2 days to arrive. Additionally the postcard aspect means people at
every point along the delivery chain can read the back and front, why not just
send a letter?

As a side note, I really like the way the author of this blog has constructed
his "Contact Me" bit at the bottom, it's very intuitive, clever, and uses URI
schemes where appropriate, nice job!

~~~
firloop
I think it's likely that it probably doesn't expire, or has an expiry longer
than 3 days; saying that the code expires gives a sense of urgency. I'm sure
it helps with conversion, as this is yet another step of the onboarding
process.

~~~
TeMPOraL
> _saying that the code expires gives a sense of urgency_

It also is, quite literally, lying to people. I personally hate when
businesses do that.

------
tedmiston
> This is a nifty way to lightly verify someone's address! A service could ask
> for scans of utility bills, or driving licences, but this is a lot simpler.

It's also an invalid way to verify where someone lives. It's possible to
"verify" any address at which you can have mail sent to your name and receive,
for example, a previous address, an office, a co-working space, an abandoned
building or vacant apartment, etc.

This is why it's such a big deal that Nextdoor makes each user's address
public inside their neighborhood group by default — there are trivial ways to
get into a neighborhood group.

------
Symbiote
The Danish national identity system uses a code card as the second factor.

Picture of a card:
[http://2.bp.blogspot.com/-bhasaP2UfVA/T-itxSP6-uI/AAAAAAAAAF...](http://2.bp.blogspot.com/-bhasaP2UfVA/T-itxSP6-uI/AAAAAAAAAFk/KOR44E5angY/s1600/NemID-
Card1.png)

Site: [http://NemID.nu](http://NemID.nu)

~~~
fulafel
Also known as one time passwords. These are great and way underused.

------
kalleboo
I had a Japanese site verify my address by sending me a postcard by registered
mail. If the postcard got delivered they presumed the address was valid, if
the post office failed to deliver they knew it was fake. No need for any
action on the user's end.

When they Swedish post office started their online portal back in the mid-to-
late 90's they would mail your initial password home when you signed up. I
guess because postal mail is all they knew?

~~~
syndev
For the Japanese service, did anything prevent users from putting an address
that received mail, but wasn't theirs?

------
patcon
If anyone is looking for a fun side-project, this sort of postal verification
could be part of bootstrapping a citizen-controlled national digital identity
system. The system would also leverage the official gov election form that
checks if you're registered to vote, resurfaced with an API.

This approach has the interesting property that, in order to cheat this
unofficial system, you've have to commit either mail fraud (interception) or
vote fraud (fake entry in election registry).

Canadian proof-of-concept here:
[https://github.com/patcon/id.c4nada.ca](https://github.com/patcon/id.c4nada.ca)

Ping me on Twitter if you're interested in working on this in Canada or any
other jurisdiction. Would be rad to create an auth system for citizen projects
to validate identity/ward/district/state with high assurance. That way, user
desires can be passed to reps with reasonable certainty that numbers reflect
real voters.

And could start doing fun stuff with encryption keys or keybase integration or
things like that ;)

~~~
zubairq
We already do this in Denmark and the company is looking to USA too

------
Sami_Lehtinen
How about verifying against the national identity database. No need to second
guess identity / address, etc. Isn't that exactly why we've got strong
identity, that it's very easy to validate it. I wonder why some services use
all kind of pseudo methods, when there are strong and proven methods
available. Also postcard is bad, because it's not registered mail, where
recipient identity is verified. Some businesses do use that. But it's still
worse than using online id. Because it's still more likely that the identity
verification when receiving mail, isn't done properly.

~~~
djhworld
The UK doesn't have a national identity database.

~~~
nly
The defacto databases for residency are those held by the UKs 3 main credit
reference agencies, who all have access to the electoral roll and offer
address verification as a service.

e.g. [http://www.experian.co.uk/business-express/identity-
solution...](http://www.experian.co.uk/business-express/identity-
solutions/identity-check/)

~~~
lucaspiller
Those services/databases don't really verify anything though. They tell you if
the details given match a person, but they don't verify that the person giving
them is who they say they are.

Last year I had a number of cases of identify fraud. In one case somebody went
into a phone shop, gave just my name and address, and walked out with a iPhone
7 and a £60/mo contract. As the director of a limited company my name, address
and date of birth are public record, so it seems really stupid that this is
how identity is usually 'verified' in the U.K.

As there is no way to remove yourself from these databases (short of
committing credit score suicide), I now pay £10/year to be on another
database:

[https://www.cifas.org.uk/pr_for_individuals](https://www.cifas.org.uk/pr_for_individuals)

------
bdd
American Radio Relay League (ARRL) employs postcard based recipient
verification for amateur radio operators by mailing to their registered
license address with FCC, a public record. They use this to sign a user
certificate (X.509) which presently can be used to access Logbook of the World
(LoTW), a web based logbook for radio operators to record contact with other
operators.

------
janklimo
Couchsurfing uses the same address verification method (postcard sent to your
home with a code). That one is powered by Lob. Maybe this one is as well?

------
jwilk
How is this a 2FA?

~~~
yladiz
Because it's a second factor beyond your password.

~~~
dchest
This is just address verification using a mailed-in code. 2FA term describes a
system that uses a second factor for _authentication_. This one uses a code
sent by mail for registration (where first authentication is part of the
registration).

------
weinzierl
I've seen posters in the streets from one of the hyper-local social networks
that have a per neighborhood code on the poster. You use that code to sign up
for your neighborhood.

------
zubairq
Denmark already does postcard 2FA called NemID for all its citizens

~~~
abricot
But the price/speed of mailing in DK puts the method out of grasp for most
organizations.

~~~
zubairq
They get over this by mailing 100 at a time

------
ciucanu
ricardo.ch (similar to craigslist) is doing the same in Switzerland. I think
this gives the user the impression that he has to be responsible about his
actions on the website.

~~~
chinathrow
More that it weeds out all the scammers hiding behind fake adresses.

