Comment by toomuchtodo
3 hours ago
I manage customer identity and access management ("CIAM") for a financial services firm. Passkeys are primary, recovery can be performed by providing a government credential remotely (which costs us ~$2-3 per recovery). I do not think it is hard, based on what we have built and spent to enable these capabilities. NIST Special Publication NIST SP 800-63 Digital Identity Guidelines is a helpful resource on this topic.
https://pages.nist.gov/800-63-4/
I think Meta just does not care if they're enabling AI attack surface and vulnerabilities into these customer journeys. It's...certainly a choice, versus deterministic journeys with hard guardrails. They could make different choices.
> recovery can be performed by providing a government credential remotely
That only works because you presumably do KYC when you open accounts, so you have an identity to match to. Most internet accounts don't do real KYC, so a government credential doesn't really work for recovery --- they didn't know who you were, so proving who you are doesn't help anything.
That doesn't mean that letting anyone sweet talk support or an AI into taking over an account is acceptable, of course.
It's a fair point, and can be solved for as part of the "Verified" offerings Meta offers. This binds IRL identity to the digital identity at verification for future identity assurance step up (including if and when recovery is required). Failing that, TOTP, SMS, and even mailing an OTP to a mailing address remain low friction auth factors (with, of course, various levels of security).
My point is that while this is not easy, there are obvious very bad ways to implement this that should not be done (chatbot or other generative AI interface vulnerable to the usual suspects of AI inherent attack surface). Don't build the bad way, the right away is known and straightforward.
I’d wager your range of tech literacy/capabilities for your firm is much narrower than big tech.
Someone gained access to a Instagram account (belonging to a business by the same name) connected to a fb account (by the same name) that they still had access to. The only thing fb could do was terminate the Instagram for impersonation.
It's an impressive level of incompetence.
Range != value, depending on use case. Doing more poorly does not make something better. Our customer identity capabilities are very close to login.gov (we don't have to support hundreds of agency customers and common access cards), and if its good enough for ~342M Americans, its good enough for our customer base.
Broadly speaking, work for the sake of work is not valuable work. Show me outcomes for resources and time invested, and compare accordingly. Value is, again broadly speaking (there is always nuance), what you deliver. If you bring me an AI solution for a high risk high value customer journey, data flow, or code path, that is an anti pattern. If you, as a colleague or a stakeholder, put forth that we must use AI in situations that require a high degree of determinism (due to potential high cost failure modes), you will need to prove this extraordinary claim with evidence.
Choose Boring Technology - https://news.ycombinator.com/item?id=48315583 - May 2026 (19 comments)
> [login.gov] if its good enough for ~342M Americans
I am very curious about the actual number of users of login.gov.
I am a US citizen and my experience was … negative to the point of actively avoiding it.
1 reply →