> But they don't have a problem - they just don't use the passwordless sites.
If nothing else, the idea of having a separate e-mail account/inbox per use case is an interesting one!
Much like those people that use aliases or something of the sort to be able to tell where who sent then a particular email, like if suddenly some shop+my.account@gmail.com started getting random marketing mails.
> If anybody, it's the sites having the problem of missing users.
I mean, isn't that just the consequence of websites optimizing for whatever seems to work for them and forgetting about the minority of users? It might be missed profit, sure, but that depends on just what portion of the users view this as a dealbreaker.
Maybe there could be an app like Google Authenticator that would offer login to multiple websites through one's phone? We already have that in Latvia somewhat, for banking - you enter your user details in the web form and get a prompt on your phone for your PIN to log in with in the web app: https://www.smart-id.com/
Thats a crazy level of risk assessment for an average user.
> how does your password manager help you if your email password gets leaked?
You still need my TOTP codes in my case at least, which conveniently are stored in my password manager. Is it perfectly secure? No, of course it's not, but frankly my risk profile isn't worrying about a targeted attack on me and my password manager, it's worrying about leaked shared credentials.
Side note, I also get a push notification on my phone whenever a new device logs on, so unless the attack is _extremely_ targeted, well timed and they know what they want, Its not a risk for me.
> Thats a crazy level of risk assessment for an average user.
It really isn't. Think about it for a second: how hard is it to spot phishing attempts when they are sent to an email address you know for a fact you're not using with a service?
And how vulnerable are you to phishing if your special-purpose email address that you only use for one specific purpose receives zero spam?
To claim that the most basic and easy internet security precautions are at a "crazy level", first you need to somehow believe that no one is targeted by these schemes. But somehow there's a whole international industry that thrives on stuff like Western Union transfers. Why is that?
Perhaps instead of telling everyone to think on things for a second, you should think on things for longer than a second?
>And how vulnerable are you to phishing if your special-purpose email address that you only use for one specific purpose receives zero spam?
This would depend on how you setup the email address, if it truly a separate email address i.e a separate account not just an alias then phishing is not the concern but management of the accounts becomes a huge problem
I use separate alias's for every service against my own custom domain that has a single email account. This is not to prevent phishing but to detect when a breach occurred or when my info is sold, you assume that when you sign up for a service only that service will ever have access to your info, many many many companies and service sell your email address to marketers.
Do you think youre going to get scammed and send a fraudulent Western Union transfer? What do you think the venn diagram overlap between "uses a specific email for each service" and "gets phished" is? The people that even have the capacity to do the first aren't going to fall into the second. If someone is sending fraudelent transfers to scammers, they're not going to be smart enough to create multiple emails.
> Do you think youre going to get scammed and send a fraudulent Western Union transfer?
I know for a fact that there are targeted phishing campaigns aimed at users of specific services such as LinkedIn and GitHub and Twitter and etc, primarily because I've been targeted by them.
> What do you think the venn diagram overlap between "uses a specific email for each service" and "gets phished" is?
I know for a fact that the Venn diagram of phishing attempts sent to email accounts that are not used by those services is practically zero.
Do you understand how trivial it is to identify and filter out these attacks when they are sent to addresses that are already known beforehand that are not used for that purpose?
> To claim that the most basic and easy internet security precautions are at a "crazy level",
Basic and easy internet precautions are not "register and run a domain and host your mail yourself". Basic and easy precautions are don't reuse passwords/use a password manager, use a reputable email provider, enable 2fa with totp, and dont click links from your emails
> first you need to somehow believe that no one is targeted by these schemes.
I don't see how you come to that conclusion at all. The assumption is that _everyone_ is targeted by those schemes.
> But somehow there's a whole international industry that thrives on stuff like Western Union transfers. Why is that?
Because they're low risk high reward, easy to set up, and you only need to make one mistake.
You are right of course in one sense, but look at the comments here! If the HN crowd is still sending verification links rather than codes to be copy and pasted, that implies regular folks are still clicking the links..
can you name even one service that uses login links and allows you to configure an address that is exclusively used for login links and not any other communication?
i'm not talking about unselecting all other types of communication, but rather having the service store 2 different emails for you. one for logging in and one for communication.
That is a fair point, indeed this would probably make the configuration page extremely complex.
I guess my suggestion would only work for cases where you don’t really care much about other kinds of notifications.
