2FA using a postcard!

Upon joining the hyper-local social network "Nextdoor" - users are asked to verify their postal address.

One option they offer is to have them send you a card in the post. So, I signed up, entered my address, and waited. A few days later, this popped through my letterbox.

A postcard from Nextdoor - there is a 2FA code printed on it

A few random thoughts...

  • ✅ This is a nifty way to lightly verify someone's address! A service could ask for scans of utility bills, or driving licences, but this is a lot simpler.
  • ✅ Bulk mailing seems to cost around 25p per card - much more expensive than an SMS - but relatively cheap as part of their cost per acquisition.
  • ❌ It sort-of lets the postie know my email address. The user part is redacted and truncated - but do I want other people know I still use AOL? Or that I work for a shadowy cabal? Or that I'm @something_very_rude dot info?
  • ❌ It says "Code expires in 3 days" - from when? It usually takes Royal Mail a day to deliver mail, but that is not guaranteed. Perhaps a specific date should be printed on there?
  • ❌ That 2FA code is short. I assume that there is rate limiting on the submission form, but would a longer code hinder usability?
  • ❌ The help URL - help.nextdoor.co.uk doesn't work! It goes to a broken site. I suspect they meant to use the .com variant. Every URL on your marketing needs to be thoroughly and regularly tested.
  • ❌ For that matter nextdoor.co.uk/Postcard and nextdoor.co.uk/POSTCARD also don't work. In all my years of user testing, I've learned that users rarely respect case-sensitivity. Paths should not be case sensitive - and 404 pages should guide the user rather than producing an error message.

Overall, not bad. I wouldn't want a postcard every time I had to sign up for a new social network - but the general concept works well. In this specific example, Nextdoor need to pay a bit more attention to how users will actually react to the card.

Share this post on…

3 thoughts on “2FA using a postcard!”

  1. Microsoft do this for Bing "Verify my business" sign ups - a verification pin is sent (6 digits long) via US Postage ($1.15 to here in the UK) but apart from the mailing name, "Business to verify" details (name, address) and the generic http://www.bingplaces.com/verifymybusiness url ("Login with your existing Microsoft account"), there's nothing really personal about it.

  2. Sky says:

    "Code expires in 3 days" is a fake appeal to urgency. I forgot mine in my truck for a few weeks and it still worked.

    1. R. S says:

      (Or, "Code expires in 3 days" was implemented incorrectly, and there's a security bounty opportunity in reporting it!)


What links here from around this blog?

What are your reckons?

All comments are moderated and may not be published immediately. Your email address will not be published.Allowed HTML: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong> <p> <pre> <br> <img src="" alt="" title="" srcset="">