Humans executing security policy (inherently imperfectly) versus ML algorithms executing security policy (deliberately imperfectly) is not the main issue. The real problem is that the industry hasn't purposefully sat down and hammered out the full contours of user verification. Each company just starts off with simple passwords, bolts on a few other arbitrary mechanisms, and then forces that on their customers - residual probabilities and collateral damage be damned.
Strong passwords, hardware security keys, shared secrets meant for offline storage, SMS challenge, other accounts, snail mail address verification, notarization (governmental identity), voiceprints, time delays, etc. Each one represents its own tradeoff of convenience versus reliability versus forgeability versus privacy.
Users should be able to pick their own policies. For an email account where I've already provided my real world governmental identity, I'd most likely prefer snail mail address verification plus notarization (combined with notifications to the account and a waiting period). Whereas for another where I've deliberately avoided spilling my governmental identity, I should be able to express that a password plus hardware security key is the highest level of verification there will ever be.
Furthermore, companies need to make their own rules for falling between everyday access to account recovery explicit, and allow users to express preferences there too. There should be no cases of the wind blowing from the east so we require account recovery today, forcing users to be policed on what IP addresses they're coming from, etc.
Strong passwords, hardware security keys, shared secrets meant for offline storage, SMS challenge, other accounts, snail mail address verification, notarization (governmental identity), voiceprints, time delays, etc. Each one represents its own tradeoff of convenience versus reliability versus forgeability versus privacy.
Users should be able to pick their own policies. For an email account where I've already provided my real world governmental identity, I'd most likely prefer snail mail address verification plus notarization (combined with notifications to the account and a waiting period). Whereas for another where I've deliberately avoided spilling my governmental identity, I should be able to express that a password plus hardware security key is the highest level of verification there will ever be.
Furthermore, companies need to make their own rules for falling between everyday access to account recovery explicit, and allow users to express preferences there too. There should be no cases of the wind blowing from the east so we require account recovery today, forcing users to be policed on what IP addresses they're coming from, etc.