> In one of the later posts, the OP writes that the homeless will lose any physical thing after N weeks. So what kind of 2FA would be homeless-proof? I don't see a solution.
This is not a technical problem and should not be automated away.
Rely on trustworthy third parties. Universal utilities like Google should have retail outlets which are adapted to local conditions and can exercise educated judgement. In some countries, the police might certify the identity of the individual, and then Google could trust that certification. In another place, it might be some combination of the Red Cross and a public hospital. Obviously some identifications will be easier and others harder - if a person in New York claims they are the owner of an account based in Spain, the employee should be suspicious and require a higher burden of proof (and the reactivation might be logistically more difficult).
> The other thing is, we want at the same time Gmail to be unhackable against best hackers and state sponsored adversaries for the billions of users, including high profile dissidents, journalists, and senators who will inevitably have accounts;
I'm not really convinced high profile dissidents, journalists and senators (why senators?) should be trusting Gmail to protect them from state sponsored adversaries. Google generally wants to do business in territories controlled by states which means they have to follow laws and will sometimes be subject to intimidation; but they have no intrinsic motivation to be unhackable.
> Universal utilities like Google should have retail outlets which are adapted to local conditions and can exercise educated judgement.
Sorry but this just isn't happening, and if there is regulation to make something like this happen, companies will just turn off their services. Plus this would essentially seal off competition: want to run an email hosting startup? Guess you have to manage real estate all over the world and work with every government.
This whole conversation seems backwards to me. Yes, it should be easier for people to recover their accounts, but should governments be totally reliant on private email providers for communicating with people who need services?
The story, as I understand it, goes something like this: a case worker emails a homeless person, the homeless person can't access their email, and then the case worker denies them access to programs because they never got a response. That is not solely an email problem---it's also a huge problem with these programs and services! Why don't they provide identity services and retail outlets to help people get the resources they need? Why are governments shoving this responsibility into the private sector?
> Guess you have to manage real estate all over the world and work with every government.
Or, you know, pass a deal with post offices or banks. Bank ID is pretty widespread in nordic countries for instance.
But as with other topics (e.g. banking services) we're getting the usual HN answer where anything unheard of in SV but common elsewhere is considered luxury science fiction.
Google’s advanced protection program is probably the most secure way to have an email address if you believe you are likely to be targeted by a sophisticated attacker. It requires a security key to sign in every time, limits sign in with Google, and only lets you use Gmail, Apple Mail, or Thunderbird as your email client.
Why Senators? They’re high ranking US government officials, they’re a prime target for state sponsored attackers.
Other than Protonmail I wouldn’t trust anyone else with my email. Gmail is close to if not the #1 non-governmental target for state sponsored attackers. The NSA runs secure email for TS-SCI communications but they don’t want to have to teach John Podesta how to not get phished, and Google has the best defense against those attacks if you enable advanced protection.
I don’t think there’s any universe where a company runs an international chain of retail outlets in order to support a free email service. If that were the standard, free email providers just wouldn’t exist outside of bundles with other services.
We treat email almost as we used to treat postal mail: we expect it to be available to all ("digital transition" replacing human-fronted public services with digital one).
If we treat it as a utility, it's fine to regulate it as such. If <big corp> want to make money, directly or indirectly, by offering email service, they should have some standard of service. If they can't we can just make it public service, which wouldn't let <big corp> make money out of it, but would also guarantee it's available to all.
Either way, eating the cake and leaving it whole, like it is now, shouldn't be an option.
This is not a technical problem and should not be automated away.
Rely on trustworthy third parties. Universal utilities like Google should have retail outlets which are adapted to local conditions and can exercise educated judgement. In some countries, the police might certify the identity of the individual, and then Google could trust that certification. In another place, it might be some combination of the Red Cross and a public hospital. Obviously some identifications will be easier and others harder - if a person in New York claims they are the owner of an account based in Spain, the employee should be suspicious and require a higher burden of proof (and the reactivation might be logistically more difficult).
> The other thing is, we want at the same time Gmail to be unhackable against best hackers and state sponsored adversaries for the billions of users, including high profile dissidents, journalists, and senators who will inevitably have accounts;
I'm not really convinced high profile dissidents, journalists and senators (why senators?) should be trusting Gmail to protect them from state sponsored adversaries. Google generally wants to do business in territories controlled by states which means they have to follow laws and will sometimes be subject to intimidation; but they have no intrinsic motivation to be unhackable.