After filing a violation with twitter support for an account impersonating an opensource project I work on (posting fake news, etc) Twitter has asked that I verify myself as being part of the organisation being impersonated by providing a copy of my business card or a signed company letterhead.<p>This is not the first time I've been challenged to provide a company letterhead as a form of authentication by a large, reasonably sophisticated company. How is this still considered quality best practice?
You've gotta split it into 'technical auth' and 'legal auth'.<p>Legal auth is simply making sure they can sue you, and/or get you sent to prison if you circumvent their system.
I have as well. Even a really long time ago, so it sounds like a long lasting habit.<p>It reminds me of how lawyers are happy to accept signatures by fax. You could be a rather lousy forger, yet because of the huge and extremely black pixels, still make a passable forged signature over fax. You can even tape a real signature on the page, or make numerous corrections, because the resolution simply cannot show any of those details. There is not much one would consider reliable about a faxed document.
Twitter is one (of several) companies that have used your required phone number for marketing purpose. How is it you think they have any care about best practices?<p>Anyway, this is about shifting liability with minimal effort. As such, I'd consider it best practice. Of course, I'm using that term in a different way than you, but you just need to appreciate the goal here. It's not at all about "authenticating" you as a heretofore unknown, authorized member of the org -- that's <i>extremely</i> difficult, even at small scale.
I mean... we still use physical signatures, too. Old habits die hard.<p>But I suspect this has a lot more to do with proving that you are explicitly representing yourself to them as a member of the organization; not proving that you actually are part of the organization.
What do you propose they ask for instead?<p>Plenty of "open source projects" are nothing more than some informal group working together. It's not like they are registered with the government.
Same way a passport is, I guess? 99% of organisations that ask for a passport image have no way of knowing whether it is fake or not, a letterhead is slightly easier to mock up though.
Keybase had a good system for authentication. You link your public key to multiple accounts, and use private key to prove your identity.<p>That seems more secure than physical signatures and letter heads, that can presumably be easily forged.<p>But Keybase seems not developed anymore. Does anyone know what’s the situation?
Simple answer is: Because there is literally no way to do it, and this <i>used</i> to be a reasonable approach before cheap hi-res printers became available.
Because it was the best idea someone had in 1950. And humans don't learn, you just wait for the old ones to die and new ones to enter the workforce with new ideas.
A better question might be why is a company considered a legal entity or even a technical entity? It has been said that they shouldn't be and that legality should rest with the individual companies' owner. This of course would end corporations and much of the crap they produce and force owners to be accountable to their word. Yes, a novel concept.<p>But don't take my word for it. Read what Adam Smith had to say about it first in the Wealth of Nations.
<a href="https://www.ibiblio.org/ml/libri/s/SmithA_WealthNations_p.pdf" rel="nofollow">https://www.ibiblio.org/ml/libri/s/SmithA_WealthNations_p.pd...</a>