2FA using a postcard!

Upon joining the hyper-local social network "Nextdoor" - users are asked to verify their postal address.

One option they offer is to have them send you a card in the post. So, I signed up, entered my address, and waited. A few days later, this popped through my letterbox.

A few random thoughts...

• ✅ This is a nifty way to lightly verify someone's address! A service could ask for scans of utility bills, or driving licences, but this is a lot simpler.
• ✅ Bulk mailing seems to cost around 25p per card - much more expensive than an SMS - but relatively cheap as part of their cost per acquisition.
• ❌ It sort-of lets the postie know my email address. The user part is redacted and truncated - but do I want other people know I still use AOL? Or that I work for a shadowy cabal? Or that I'm @something_very_rude dot info?
• ❌ It says "Code expires in 3 days" - from when? It usually takes Royal Mail a day to deliver mail, but that is not guaranteed. Perhaps a specific date should be printed on there?
• ❌ That 2FA code is short. I assume that there is rate limiting on the submission form, but would a longer code hinder usability?
• ❌ The help URL - help.nextdoor.co.uk doesn't work! It goes to a broken site. I suspect they meant to use the .com variant. Every URL on your marketing needs to be thoroughly and regularly tested.
• ❌ For that matter nextdoor.co.uk/Postcard and nextdoor.co.uk/POSTCARD also don't work. In all my years of user testing, I've learned that users rarely respect case-sensitivity. Paths should not be case sensitive - and 404 pages should guide the user rather than producing an error message.

Overall, not bad. I wouldn't want a postcard every time I had to sign up for a new social network - but the general concept works well. In this specific example, Nextdoor need to pay a bit more attention to how users will actually react to the card.