@nixCraft Doing security processes cheaply works until the attackers gain a capability that allows them to attack it cheaply.

For example, in Canada, I can log into the tax authority (CRA) using a trusted bank as an identity provider, most of which still do KYC the old-fashioned way, at the bank branch with Gov ID and so on (which is more expensive for an attacker, and harder to scale, not impossible though).

Cat and mouse, the game continues.