alt Hacker NewsThat all makes perfect sense but consider that if they simply punted to the bank as I described they would still get the same benefits only with even less complexity. The bank fundamentally has to do robust identity verification. Any party that needs to handle payments while also lacking a reason to be good at performing in house identify verification really ought to make use of the bank because you are highly unlikely to be better at it than they are.
The entire cumbersome process you describe can be viewed as Google doing a significantly worse job of verifying your identity than the bank would have.
As an aside, I suspect that leaving it to the bank would also provide additional legal protection. Specifically anyone attempting deception will most likely be forced to commit fraud against the bank which will probably be taken much more seriously than otherwise.
Replies
I agree, in Europe(EU, UK, Turkey and other countries) banks are considered perfect for proof of ID. In UK a bank statement is as good as an ID, in Turkey for example, you can sign in into the government portal through your online banking and it is considered higher level secure authentication and you can take high risk actions(like signing legally binding contracts) that you can't do by signing in just with password and 2FA.
The bank has to perform the authorization and identity checks, but the bank will not make them for you, they do them for themselves based on their own risk analysis. The scope of authorization could also be different based on who it's presented to.
The authorization is not transitive so to say.
>As an aside, I suspect that leaving it to the bank would also provide additional legal protection
If it would, they will have to pay the bank for it and the bank should also be willing to accept the liability (spoiler alert -- the will not be willing to accept the liability)