Bootstrapping identity without an existing identifier to base it on is a difficult problem.
On one hand, it is a barrier to entry. On the other hand, without some barrier, you can be subjected to spam.
One option to deal with it is Web of Trust, with users who have been vouched by the operator being able to vouch other users, and so on.
So, if I forgot my "password" (private key), I can log in with a new key, and say, "my name is Joe, please verify me", and confirm it via out-of-band with another human.
If you have access to at least one device with a valid key, you can vouch the new key with an existing one.
And if any improper vouching is detected, you can trim the vouch tree at the problem node with all downward nodes also becoming disallowed.
This is basically the (PGP-based) account system I've built in sHiTMyseLf.
Do you have any articles to learn more about this? I’ve been thinking about this exact problem with many companies requiring hoops like phone numbers for antispam purposes. But all they really care about is that it’s a human not a bot.
So some way to have an independent central website with list of valid but anonymous keys could be used to sign up for any online service and prove you’re a human. Sort of like id.me . I’d almost be okay needing to get a letter in the mail for initial registration.
I'm thinking along similar lines (including physical mailing of smartcards or something similar). I like building AGPL software and take on commercial work from time to time. Maybe I should write an article ; )
Email is in my profile.
EDIT check out upspin.io project it's written in go and has a lot of thought put in
I don't know how reliable of a proof is a received mailing is. I guess it's proof of something...
I think a much more reliable proof is a vouch from another member who signs up to be your "sponsor" -- responsible for all your actions.
If you're interested in seeing a working prototype, check my profile. Some of the things I described have to be done manually for now, however, until the UI is finished.
On one hand, it is a barrier to entry. On the other hand, without some barrier, you can be subjected to spam.
One option to deal with it is Web of Trust, with users who have been vouched by the operator being able to vouch other users, and so on.
So, if I forgot my "password" (private key), I can log in with a new key, and say, "my name is Joe, please verify me", and confirm it via out-of-band with another human.
If you have access to at least one device with a valid key, you can vouch the new key with an existing one.
And if any improper vouching is detected, you can trim the vouch tree at the problem node with all downward nodes also becoming disallowed.
This is basically the (PGP-based) account system I've built in sHiTMyseLf.