I'm not Alexis, but we just looked over your ticket together. I think the initial place where this became more complicated was the assumption made during the first reply to your ticket, which was that you had already exhausted the password reset attempts. You mentioned (here, not in the ticket) not receiving them; maybe we should have tried harder to figure out why the password reset option wasn't working for you.
At any rate, once that point is reached, we act with the security of the domain in mind. If the handle in question belongs to an individual and you have access to the email associated with the account, it's as easy as sending a copy of your ID. In this case it was a company handle, which requires some proof that you're authorized to act on behalf of the company.
This kind of situation is exactly why we offer reseller-type accounts (free of charge), which allow you to control your clients' domains and handles from one place, while leaving the domains in their name.
Given that there may have been an easier solution available, I'm sorry this went down the way it did. But at the same time, we don't think it's unreasonable to ask for proof of ID when you're trying to gain access to an account: We don't have access to any payment information that could reliably identify you, as it all goes directly through our payment processor. We understand when you explain the situation, but such explanations are all too often indistinguishable from social engineering, and so we take it a step further--for the sake of the security of people's domains.
We are humans, but we're paranoid humans, and a great deal of our customers appreciate that.
If you ever decide to give us another chance, you can reach me at aj (at) gandi.net. I can help you set up a reseller account (and do my best to restore your faith in us).
I understand wanting to verify my identity; if you had asked me to just send a copy of my personal identification and then checked that against the payment information that you could have on file in a totally secure way, I would have groused but probably done it without too much complaint. (I might have pointed out how easy it is to falsify a scan of a driver's license, and how that makes this all smell a bit like security theater rather than real security...)
I didn't consider a reseller account because in this particular case the plan was just to be the guy that set up the account for the client and then hand everything off to the client, since that's what they wanted. Maybe that would've worked better.
I dig that Gandi takes social engineering into consideration and it's great that you want to do your best to make sure your customers don't have their domains stolen by bad actors, but I think there might be some room for improvement in figuring out who is and isn't a bad actor. This experience with Gandi was unusual compared to a lot of other companies I have to deal with, most of whom have to have some level of data security policies in place.
> We don't have access to any payment information that could reliably identify you, as it all goes directly through our payment processor.
That seems odd. I wonder if this is a technical limitation of your payment processor, or just something that's not implemented on your end, or if there's some other consideration that's keeping you from making it work. I'm pretty sure authorize.net makes transaction information available in a secure way to vendors, as does Stripe and a small number of other forgettable payment gateways I've had to write code for over the years.
If you did have the ability to see the last four of the credit card used to create the account (and I understand you didn't/don't), you could have asked that in a challenge/response manner and I think that would be even better than asking me to send fakeable images of identification -- which violates my personal security, because I have no guarantees whatsoever for what a company does with a scan of my driver's license after they receive it.
Anyway, I do appreciate you reaching out and taking the time to look into this, that shows you do care about your reputation.
At any rate, once that point is reached, we act with the security of the domain in mind. If the handle in question belongs to an individual and you have access to the email associated with the account, it's as easy as sending a copy of your ID. In this case it was a company handle, which requires some proof that you're authorized to act on behalf of the company.
This kind of situation is exactly why we offer reseller-type accounts (free of charge), which allow you to control your clients' domains and handles from one place, while leaving the domains in their name.
Given that there may have been an easier solution available, I'm sorry this went down the way it did. But at the same time, we don't think it's unreasonable to ask for proof of ID when you're trying to gain access to an account: We don't have access to any payment information that could reliably identify you, as it all goes directly through our payment processor. We understand when you explain the situation, but such explanations are all too often indistinguishable from social engineering, and so we take it a step further--for the sake of the security of people's domains.
We are humans, but we're paranoid humans, and a great deal of our customers appreciate that.
If you ever decide to give us another chance, you can reach me at aj (at) gandi.net. I can help you set up a reseller account (and do my best to restore your faith in us).