2FA using a postcard!


Upon joining the hyper-local social network "Nextdoor" - users are asked to verify their postal address.

One option they offer is to have them send you a card in the post. So, I signed up, entered my address, and waited. A few days later, this popped through my letterbox.

A postcard from Nextdoor - there is a 2FA code printed on it

A few random thoughts...

  • ✅ This is a nifty way to lightly verify someone's address! A service could ask for scans of utility bills, or driving licences, but this is a lot simpler.
  • ✅ Bulk mailing seems to cost around 25p per card - much more expensive than an SMS - but relatively cheap as part of their cost per acquisition.
  • ❌ It sort-of lets the postie know my email address. The user part is redacted and truncated - but do I want other people know I still use AOL? Or that I work for a shadowy cabal? Or that I'm @something_very_rude dot info?
  • ❌ It says "Code expires in 3 days" - from when? It usually takes Royal Mail a day to deliver mail, but that is not guaranteed. Perhaps a specific date should be printed on there?
  • ❌ That 2FA code is short. I assume that there is rate limiting on the submission form, but would a longer code hinder usability?
  • ❌ The help URL - help.nextdoor.co.uk doesn't work! It goes to a broken site. I suspect they meant to use the .com variant. Every URL on your marketing needs to be thoroughly and regularly tested.
  • ❌ For that matter nextdoor.co.uk/Postcard and nextdoor.co.uk/POSTCARD also don't work. In all my years of user testing, I've learned that users rarely respect case-sensitivity. Paths should not be case sensitive - and 404 pages should guide the user rather than producing an error message.

Overall, not bad. I wouldn't want a postcard every time I had to sign up for a new social network - but the general concept works well. In this specific example, Nextdoor need to pay a bit more attention to how users will actually react to the card.

3 thoughts on “2FA using a postcard!

  1. Microsoft do this for Bing "Verify my business" sign ups - a verification pin is sent (6 digits long) via US Postage ($1.15 to here in the UK) but apart from the mailing name, "Business to verify" details (name, address) and the generic http://www.bingplaces.com/verifymybusiness url ("Login with your existing Microsoft account"), there's nothing really personal about it.

  2. "Code expires in 3 days" is a fake appeal to urgency. I forgot mine in my truck for a few weeks and it still worked.

    1. (Or, "Code expires in 3 days" was implemented incorrectly, and there's a security bounty opportunity in reporting it!)

Leave a Reply

Your email address will not be published. Required fields are marked *