Proving Your Identity Online

The domain of this blog expired on Friday since I forgot to extend it. I've relied on domain registrar's notification to remind me about oncoming expiry of my domain, but since I've changed my personal email address recently, registrar's reminders didn't reach me. To prevent such thing to happen also for my .si domains which are handled by one of the Slovenian registrars I wanted to check if my email's settings with this registrar are up to date. When I wanted to log in with my Slovenian registrar I found out that I didn't store the password for my account there (I have policy of not reusing passwords). Normally that wouldn't be such a problem since most services support password reset by sending a custom link to your email address. But since I no longer have access to inbox of my old email address I had to call registrar's customer support by phone.

Domains are probably the most vulnerable and critical part of Internet infrastructure. If somebody gets access to your domain all other access control mechanisms (email, OpenID, ...) become highly exposed. Consequently I was very curious how will the customer of this Slovenian domain registrar handle my request. They've turned out tolerable, but by no means perfect. I called them by phone from my mobile number which they have in their database. This already gave them two pieces of evidence of my identity - that I'm Slovene (or at least someone who's fluent in speaking Slovene) and that the person calling is in possession of my phone number. The next verification step was customer support testing my knowledge of domains I have registered with them and of my email address, but this information is publicly available (though I protect it now by turning on WhoisGuard protection) so it unfortunately doesn't offer much of a protection. Once I provided these pieces of information too, the customer support person changed my email address and I was consequently able to reset my password and access my account.

Proving ones identity online is a far cry from being a solved problem. But slowly and surely we're learning what works and what doesn't so in a couple of iterations more Fido will no longer be able to hide being a dog.