Re: [bitfolk] Proving that you are you

I would consider the method you used insecure and prone to social engineering attacks. Anyone can forge any document sent over email or fax, including a utility bill. Proof of address is not enough to verify identity, in my book.

Brainstorm: 1. Make a 1 GBP charge to the customer's bank account (if known) with a code, then request the code (a la paypal): requires you to know bank account, is SLOW to work 2. Demand mobile phone, send verification code via SMS that must be input to disable email auth, from then on, demand sms code - insecure, might need an extra verification method 3. Use voice recognition - customer calls you, you use voice recognition software - might need an extra verification method 4. Use the "memorable phrase" method (a la msn live) 5. Mail the customer a password - might need an extra verification method - impractical, easily intercepted 6. Use lawyers (a la CACert verification) - very slow, costly, impractical 7. Trust buddy - A customer designates another customer as a "trusted buddy", where they can access the VPS using their own credentials. This could be allowed only during emergency situations or more generally - not practical since I imagine most customers don't have buddies in bitfolk customer base 8. OAuth - Use external authentication (yahoo, etc). Customers links account, can then log on via those accounts in future ONLY to change password. Forgetting both credentials would be rather rare....