Security and convenience are usually in direct competition with each other. Customer service people have to listen to people yell at them when convenience is sacrificed and aren't held accountable for security problems. They therefore optimize for customer convenience. I don't completely fault them for it. If anyone has had the frustration of sitting on the phone with a customer service rep trying to remember a PIN code that was setup 5 years ago when signing up with an ISP and was never thought about since, you can probably understand it.
It is easy to blame a single person or a single company for poor practices, but I have yet to encounter any real solution to this problem that allows someone to prove they are who they say they are which is able to hit the sweet spot between too many false positives (hijacked accounts) and too many false negatives (valid customers locked out).
If I was a security-minded person looking for startup ideas, this is the problem I would be looking to solve.
We already have a solution: WebAuthn.
Almost every phone and laptop today supports it, and you can optionally have a backup in the form of a $10 keychain device or 24 words written on paper.
This does mean people will be best off to keep at least one backup safe with other things they can't afford to lose like their SSN card and drivers license.
Once WebAuthn is setup then day to day as long as a person has not lost -all- their devices, then remote identity verification can be fast tracked.
If they have lost all their devices it would be like if they lost all citizenship paperwork and will be a longer, generally in person, process involving reference verification and a waiting period.
> Almost every phone and laptop today supports it
Eh.
I'm super excited for WebAuthn, but unless my sources are out of date it's far from being supported everywhere (https://webauthn.me/browser-support).
A giant challenge with WebAuthn is the lack of platform authenticator integrations, particularly on Linux. You basically need to buy a separate key. And if you're on Android and you swapped out Chrome for Firefox (which you should do) then even the physical key stops working.
I desperately want to start using WebAuthn everywhere and I desperately want to start encouraging devs to swap over to it for most new logins. But I don't think I can. I don't know that I own a single phone or desktop that as configured can use WebAuthn without a security key. If I'm doing something wrong, or if there's some config option that just hasn't gotten flipped by default on platforms like Firefox Linux, then I'd love to know.