Won't work for people only using cryptocurrencies (no ID required) AND people don't always look like their ID picture all the time. It would be not too hard for me to look like a lot of generic white males if I just know the hair colour and some basic facial features for a blurry, badly lit picture.
Good points.
I guess some trade-offs for people who do not want to verify are unavoidable. If Bitfinex has no clue who is the rightful owner of an account then they can't possibly verify who the rightful owner is. I guess those who do not want to verify would have to decide if they they want privacy or the ability to recover their account if something happens?
As for blurry, badly lit pictures, that is true but it could be solved by "The picture is too unclear, please take a better one". This would not help if the picture on the ID is unclear, though. I also see your point about generic $color males, but it does make it slightly harder for some. You will, for example, have a hard time looking Chinese if you are black?
Please share any better suggestions if you have any. Anxbtc verifies accounts by sending something to the physical post address you provide. That is just as secure as your mailbox is but it does prevent some hacker on the other side of the planet of typeing some things into his keyboard and gain access to your account (you can hack e-mail accounts remotely but you need to actually to go the physical mailbox to pick a letter out of it).
There are trade-offs as to what the
second factor here should be. My concern is that
there should be one, taking control over the e-mail account (one factor) should not be enough to a) change the password and b) remove/change Google OTP because (I know I am repeating myself but this is an important point) that is NOT 2FA, it's 1FA. Any actual second factor would add to the security model.