Ask HN: Why is company letterhead a valid form of auth in 2022?
After filing a violation with twitter support for an account impersonating an opensource project I work on (posting fake news, etc) Twitter has asked that I verify myself as being part of the organisation being impersonated by providing a copy of my business card or a signed company letterhead.
This is not the first time I've been challenged to provide a company letterhead as a form of authentication by a large, reasonably sophisticated company. How is this still considered quality best practice? You've gotta split it into 'technical auth' and 'legal auth'. Legal auth is simply making sure they can sue you, and/or get you sent to prison if you circumvent their system. > Legal auth is simply making sure they can sue you, and/or get you sent to prison if you circumvent their system. Also, there isn't a standard way to identify a company and to validate its actions. A slightly better one (at least where Latin notaries exist) is that the company secretariat make a declaration of whatever and include a certified copy of the company registration that certifies that the said person is the secretary of the company, but you end up with the ID problem except that it's for companies. Maybe a standard "passport" identifying companies? Did I re-invent parts of apostille? (https://en.wikipedia.org/wiki/Apostille_Convention) This is the only sensible answer in this thread. I have as well. Even a really long time ago, so it sounds like a long lasting habit. It reminds me of how lawyers are happy to accept signatures by fax. You could be a rather lousy forger, yet because of the huge and extremely black pixels, still make a passable forged signature over fax. You can even tape a real signature on the page, or make numerous corrections, because the resolution simply cannot show any of those details. There is not much one would consider reliable about a faxed document. > It reminds me of how lawyers are happy to accept signatures by fax The purpose of a lot of these sorts of requirements is not authentication. It's ensuring that if you do do it, you trigger the statutory requirement for some particular criminal offense. For example, a jurisdiction might have a crime of forgery which is substantially easier to prosecute than fraud (perhaps fraud would need the prosecution to prove intent to make financial gain, wheras forgery might be satisfied as soon as you can prove signature was forged -- hypothetical example, it will vary by jurisdiction and IANAL). These sort of statues might have been written before computers or even faxes, and there might be caselaw to the effect that forging someone's signature and sending it by fax does satisfy its requirements of the offence, but none yet for just writing your name at the bottom of an email; things like that. If you fax a fake signature, and you have any real or potential gain at all - boom, in the US it's no longer a simple state court case, you are now guilty of (federal) wire fraud. Twitter is one (of several) companies that have used your required phone number for marketing purpose. How is it you think they have any care about best practices? Anyway, this is about shifting liability with minimal effort. As such, I'd consider it best practice. Of course, I'm using that term in a different way than you, but you just need to appreciate the goal here. It's not at all about "authenticating" you as a heretofore unknown, authorized member of the org -- that's extremely difficult, even at small scale. It takes pretending to be someone you're not from 'a prank' to 'fraud', and as such is actually valuable I’ve been particularly amused by this, given that I work at a company which prints BCs and letterhead. I mean... we still use physical signatures, too. Old habits die hard. But I suspect this has a lot more to do with proving that you are explicitly representing yourself to them as a member of the organization; not proving that you actually are part of the organization. What do you propose they ask for instead? Plenty of "open source projects" are nothing more than some informal group working together. It's not like they are registered with the government. A TXT record added to the domain seems like an obvious solution, especially for a tech company. That's a reasonably "secure" identifier, but I suppose not everyone does it. So Twitter is a bit stuck trying to come up with "something", even if it's easily faked. Same way a passport is, I guess? 99% of organisations that ask for a passport image have no way of knowing whether it is fake or not, a letterhead is slightly easier to mock up though. I don't know how you all do it in the US, but ever since Biometrics was introduced after 9/11 we have had open public access to verify passports on the Swedish Police website. https://polisen.se/en/services-and-permits/passport-and-nati... and we have a central organisation called PRADO with information on how to verify any EU country's passport. https://www.consilium.europa.eu/prado/en/prado-start-page.ht... The PRADO website says it is not (yet) fit for purpose and you should go to your own country's agency to verify passports. The fact of the matter is that for most EU countries, you simply cannot verify them unless you are a government agency. I have had to figure out ways around this professionally, so I am reasonably certain this is accurate (at least up to a year or two ago). Passports have verifiable codes on them. Letterheads can be copied like word docs. Granted that's not to say people will actually verify passports using the data, but it is there compared to a letterhead being effectively just a random doc template. I'm in the UK. If you give me a passport as ID I have no way of knowing if it is genuine. If you present a company letterhead I can, at least, check the company exists, verify your name is the same as a registered director and also see some basic financial history. You can do all of that by just being told the company name, address etc. Why does it have to come in the form of stationery? It's just another hoop to jump through. Keybase had a good system for authentication. You link your public key to multiple accounts, and use private key to prove your identity. That seems more secure than physical signatures and letter heads, that can presumably be easily forged. But Keybase seems not developed anymore. Does anyone know what’s the situation? BGP speakers still discuss "letter of authority" despite RPKI being a thing for a decade. Simple answer is: Because there is literally no way to do it, and this used to be a reasonable approach before cheap hi-res printers became available. Can you cite examples of this method of authentication being defeated? Because it was the best idea someone had in 1950. And humans don't learn, you just wait for the old ones to die and new ones to enter the workforce with new ideas. A better question might be why is a company considered a legal entity or even a technical entity? It has been said that they shouldn't be and that legality should rest with the individual companies' owner. This of course would end corporations and much of the crap they produce and force owners to be accountable to their word. Yes, a novel concept. But don't take my word for it. Read what Adam Smith had to say about it first in the Wealth of Nations.
https://www.ibiblio.org/ml/libri/s/SmithA_WealthNations_p.pd... Oh and this Noam Chomsky thought...
"When the corporatization of the state capitalist societies took place a century ago, in part in reaction to massive market failures, conservatives – a breed that now scarcely exists– objected to this attack on the fundamental principles of classical liberalism. And rightly so. One may recall Adam Smith's critique of the "joint stock companies" of his day, particularly if management is granted a degree of independence; and his attitude toward the inherent corruption of private power, probably a "conspiracy against the public" when businessmen meet for lunch, in his acid view, let alone when they form collectivist legal entities and alliances among them, with extraordinary rights granted, backed, and enhanced by state power."
— Noam Chomsky