As I see it, the problem is that the email address has been conflated with your identity, and that is extremely problematic. It should only ever have been a somewhat transient reachability identifier. As an identity it then gets linked to concepts like authorization and trust, eg "we'll send this code to your email, because we implicitly trust that only you can see your email, and that youll always be able to get to it."
Every so often one sees a cri de coeur from someone who has learned this lesson the hard way when Google locks them out of their account, the key to their digital life evaporates, there's nothing they can do about it.
Alternative identifiers exist, eg handles on sites like HN, but they are second-order artifacts of the email as ID.
Given the stakes, then, you have to decide whether to try and control your identity by bulding your own infra for email (domain, mail server, dkim etc and a fair bit of hell), paying for someone to run the infra (eg getting a proton or fastmail address), and hoping they dont enshittify or fail, or letting Google or Microsoft control it and hoping you dont fall foul of them. All these options have drawbacks.
Side musing follows: I dont know what the solution to identity is on the Internet. A very long time ago, X.509 certs issued by quasi government authorities was mooted as part of a international directory system. I can see a future authoritarian state falling in love with this idea again, esp with the resulting lack of anonymity,..but also the ability to "kill" people on the Internet simply by revoking their cert.
Not just email - today it's almost impossible to have a decent life without a (smart) phone and being tied-in through OTP verification.
All these things have become so essential that it's shocking that it's not regulated like a utility (or even as a right given their systemic imposition).
OTP verification can largely be worked around because so many sites still use SMS codes which a dumb phone can handle. Similarly, 2FA codes can be handled on a PC without requiring a smart phone. It adds hurdles but can be done.
Where it becomes challenging is situations where smart phones truly are required. When I attended college football games last fall, all tickets were e-tickets. You were required to present a QR code on your device or your ticket stored in Apple Wallet or Google Wallet. I ran into the same situation with my local theater's ticketing. You haven't lived until you've witnessed an audience with an average age of 70 try to figure out their tickets on their smartphones when they've never used them for that before nor had any notion that was even POSSIBLE.
I don't understand why client certificates aren't way more common as a second factor. They have existed forever, are available on all platforms, they are phishing resistant (unlike OTP, and don't get me started on SMS), browsers or OSs could generate them during setup, and you could enroll them seamlessly with one click. Instead we had to invent new things like passkeys which do essentially the same thing.
You can use client certificates even with IMAP and SMTP.
> I don't understand why client certificates aren't way more common as a second factor.
I think there are some significant limitations to client certificates as a general-purpose 2FA mechanism.
Reusing the same certificate would make you trivially trackable across the web. You could create a unique certificate for every origin, but you need a way to permanently store the certificate. That becomes a problem if you want to secure them with hardware tokens where storage is limited. Yubikey 5 series can only store a handful of certificates.
Passkeys (i.e. resident FIDO2 keys) aren't intended to be a second factor, they're intended to be the only factor but they also require storage. Yubikey 5 can only store 25 resident keys, for example.
Non-resident FIDO2 keys (previously U2F) are what's traditionally used for 2FA. The hardware token derives key material from its master key and credential ID provided by the browser and the server, so it doesn't require any storage.
What exactly is the issue with permanent storage? The idea with certificates is that the private key stays put.
When you want to use another browser or reinstall one, just re-enroll the new one. Ten one time recovery keys act as an alternative second factor, just like it's commonly done now.
I'm not saying there aren't any tradeoffs at all, but in my opinion they're minor when compared to OTPs, SMS or Yubikeys. Not nearly enough downsides to explain why no major services supports client certs.
Client certs are great, but the UI for them is bad and browser vendors are making it worse, for example they killed <keygen> so you have to tell people to run OpenSSL commands in a terminal during signup.
Because certificates are too complex for non-techies. Most of my sysadmin and dev colleagues have no clue how they work. Most of them have have access to SECTIGO CERTIFICATE MANAGER, a web UI to sign and issue certificates. Yet, every time someone needs a certificate, I get a call and asked the same questions over and over again.
Now expect aunt Lottie to use certificates? Yeah, sure.
But can be easily stolen by malware (unless someone adds a client cert OS support? intriguing idea). But so can passkeys stored on the same device, so I don't know.
Long time ago browsers even had a widget to generate client certs natively! But it was removed, probably because of lack of use.
Okay, I know that and I agree, but I wasn't talking about PGP. Client certificates are much easier to use. They can be self-signed and the whole trust issue disappears.
I so hate this. I have repeatedly seen PDFs containing nothing but a QR code and text like "not valid if printed" - this is truly silly. QR codes were created to form a bridge between the physical and the digital world, exactly so people can print them out. If you want it to be digital-only for some reason, use NFC or Bluetooth or whatever.
I've used several similar services, but usually you can print out the QR code and present that instead (yes, I know: you have to have a way of receiving and printing that, but you don't need to have a smart phone). This is also handy if you might run out of battery or network on your phone.
You don't need to reinvent the wheel to have a "somewhat safe email". Just own a personal domain and host it on migadu, mailcheap, mxroute, Zoho or any other provider.
I've ranted about this before, but setting up or migrating semi-selfhosted personal services like that is a lot of hassle, even if you're used to cosplaying as a sysadmin.
Migrating DNS providers is a pain - recently done it twice. Transfer itself is reasonable with most providers. Importing/exporting a BIND-formatted zone file is sometimes unheard of, as is setting custom TTL; you'll have to go through a stupid form. One provider tries to hold your hand so tightly it won't let you set CAA with iodef, only issue/issuewild.
Migrating email is a pain. Yes! You can just point your MX elsewhere, and that is brilliant. You still want to copy over all your email, and given IMAP has won, if you don't have a recent backup (who does back up their email?), losing your old account sucks.
Fixing up your email clients is also troublesome. You can't just CNAME smtp.yourdomain.com to smtp.example.com, because that's nuts, so changing providers from example.com to beispiel.de requires a couple more dances; provider docs also suck, and email clients usually fail a dozen times before you can find the right incantation. You could set up your own autodiscover, but that requires an HTTPS server.
Yes there are providers that sell a full package and do all the initial setup for you, but that's not the point of owning your domain.
Yeah, I sometimes do sysadmin stuff for fun. None of this is fun.
None of these things are really that hard to do, and there are tons of tutorials on the Internet if you're not a sysadmin. I agree that these things are not "grandma can do it" easy, but they should be straightforward for anyone who has reasonably solid command line chops. Plus, they're all one-time tasks. Once you've moved over to your own domain and your own server/software, you're done--you don't have to do it over and over.
The official migration guide for Migadu invites you to use thunderbird and basically move all emails and folders from one account to another. No blame to them, but it's stunning that that's the best solution we have for migrating email
IMO email should not be an archival service. Everyone should be ok with losing all of their saved emails at any point. If it's important, save that information elsewhere.
The lock-in does have the bonus that it's practically impossible for someone else to take over your email address. Forgetting to update your credit card for renewal, long term afk/coma, death etc. are all issues with having your own domain and I decided to move away from that model.
It's the other way around in my opinion. With your own domain you own your identity. By ceding it to someone else you risk losing it at a whim of some algorithm or bot or by forgetting password, or getting locked out for some other reason.
The problem is that you can't own a domain, you only lease it for a limited time. If you fail to pay the lease, you automatically lose it, and someone else can automatically get it, and there's nothing you can do about it. Domain names are worse than email providers from this point of view, since even if you lose your Gmail account, Google will typically not give it out to someone else, at least for some time.
Your point that phone numbers and mailing addresses work in much the same way is true - but I don't think these have ever been quite as directly tied to identity as email is on the web.
Traditionally, for anything that's even slightly important, either your physical presence ultimately acted as your identity, or significant legal liability protected the non-physical identity (that is, if a court sends an important letter to you at some address, someone else who moved in to that address faces significant legal penalties if they open that letter).
Isn’t the same thing true of physical mailing addresses? If you don’t pay your mortage or estate taxes, you lose your physical mailing address. Yet people seem to have no problem considering themselves to be the owners of their houses and residences. Why should domains be any different?
Timescale, for one. If a lender wants to foreclose on your home, they'll usually have to go through a whole process, giving you a month or more of notification. During and even after this time, they'll often be happy to just take your money if you can come up with it, and they may be required to, depending on your jurisdiction's redemption laws. (E.g., my state gives owners an entire year following a tax sale to redeem their property. Some people make a whole business of chasing after redemption money.)
In contrast, many domain providers will resell your domain in a heartbeat once you miss a payment deadline. And then the buyer can do whatever they want with emails sent to that domain, since there's no such thing as identity theft when your domain is your identity. In the case of a mailing address, it's not an identity at all, which is why non-junk mail will also have a recipient line.
> Side musing follows: I dont know what the solution to identity is on the Internet.
I was fond of how Keybase brought to life [1] identity proofs (linking and validating your different online identities) in a very easy to use platform. Pity it went away; feels like a loss for the internet.
Right, but I want to validate my identity for cases where it is important to me. I also want to prevent others from assuming my identity in cases where it doesn't really matter (until it does). My identity here is not the same identity use on Reddit. At the same time being erroneously linked to someone else's posts on Reddit because they use this username could be a real problem. At he same time, I don't necessarily want my posts here to be linked to posts at Reddit or X or wherever. Rinse and repeat across thousands of web sites.
It's a problem with no easy solutions. In part, because no two users want exactly the same solution.
In Norway we have multiple national id providers. The banks have one called BankID which is what I mostly use, but there are other alternatives. These can be used somewhat interchangeably across different applications like my online bank, tax website, healthcare website, investment platforms, pretty much everything. I can also use it to sign contracts.
For example, I always use email login, never a phone number or Github or Facebag, and I barely have a presence on Google's panopticon, so never with my Google account. If a site demands it I just don't use it.
I also pay Fastmail to host my domain email, so that really helped get off Google. Yeah I gotta remember to renew every 10 years or whatever, plus $15/yr for fastmail; but what's the other option, I learn some SMTP package? No thanks.
If you don't want to link your email and your identity, you can use aliasing services like SimpleLogin. I have a separate email alias for every account, such as hackernews.ci72j@slmail.me, and only use my personal email for personal communications.
> paying for someone to run the infra (eg getting a proton or fastmail address), and hoping they dont enshittify or fail
I don’t experience them doing that. They’re email companies going strong. Maybe they get sold in some decades, and you move on. But I’ve had FastMail for one decade now, and it’s remained the same throughout. Including the minor UI bugs in their email client. But I’d much rather live with those than suddenly they’re also an AI company.
Every so often one sees a cri de coeur from someone who has learned this lesson the hard way when Google locks them out of their account, the key to their digital life evaporates, there's nothing they can do about it.
Alternative identifiers exist, eg handles on sites like HN, but they are second-order artifacts of the email as ID.
Given the stakes, then, you have to decide whether to try and control your identity by bulding your own infra for email (domain, mail server, dkim etc and a fair bit of hell), paying for someone to run the infra (eg getting a proton or fastmail address), and hoping they dont enshittify or fail, or letting Google or Microsoft control it and hoping you dont fall foul of them. All these options have drawbacks.
Side musing follows: I dont know what the solution to identity is on the Internet. A very long time ago, X.509 certs issued by quasi government authorities was mooted as part of a international directory system. I can see a future authoritarian state falling in love with this idea again, esp with the resulting lack of anonymity,..but also the ability to "kill" people on the Internet simply by revoking their cert.