| ▲ | tzs 9 days ago | |
Services that use passwords for login need to do that too, because people lose passwords. Even services that use login via emailed link need to do it because people do lose email access. Far too many people use the email provided by their ISP as their only email service, which can be very bad if they move to someplace that ISP does not serve or simply want to switch to another ISP in their current area. | ||
| ▲ | hombre_fatal 9 days ago | parent [-] | |
The forgot-my-password email link has a customer support load very different from "I can't do 2fa because I lost my device". And once you set up a customer service pipeline for it, you might accidentally create a backdoor that's far worse than forgot-my-password email verification: https://medium.com/@espringe/amazon-s-customer-service-backd... Email account access is the closest thing we have to ubiquitous identity on the web. Users that truly lose access to their email account are in a catastrophic situation before they even think of whether they can access your service. | ||