Tell HN: Please help spread the word: Stop relying on email so much
HN,
Every major cloud service over-relies on email. I can't login without access to my email on so many services. I am now trying to do something important and time-sensitive but the service isn't letting me login because protonmail is down.
I have a username and password with these services, and MFA on top of that. If I lost those credentials and they relied on email for recovery, I can understand that. I am talking about the actual login experience requires codes being sent to my email despite all that.
Not only that, these codes are included in the subject line of the mail. the subject of an email should be treated as public information, similar to the information on a paper envelope containing secret mail. Essentially, my login credentials are being sent in clear-text for the world to see.
In my view, this is a (and dare I say!) lazy application design that is insecure and prone to failure like what I am experiencing now.
Users' random webmail providers are not SSO providers. Email does not replace federated SSO. If users are not SSO-federated, they should be using proper username, password, and a second factor of authentication.
I just wanted to get the word out there and raise awareness about this undesirable design pattern.
We had a similar discussion yesterday: https://news.ycombinator.com/item?id=42627453