undefined | Better HN

0 pointsthaumaturgy7y ago0 comments

It is a lot inconvenient, given the various and myriad issues with guaranteeing email deliverability. Multiple hosting providers use greylisting or something like it which can delay email by minutes to hours, depending on the behavior of the sending mail server. Almost all hosting providers use one or more layers of spam filtration which can incorrectly trap or dispose of your message. Many users have additional mailbox rules set up which may accidentally match your message and route it to an unexpected folder. Relatively small mistakes with things like SPF can further complicate deliverability. You may also use some popular mail delivery service or another, which means that when that service has a bad customer that annoys enough other system administrators, the entire service gets blackballed, your messages along with it. (Hi, SendGrid.)

DigitalOcean's two-factor authentication used email, and email only, which several times caused us some headaches when there was an urgent issue and our person-in-charge couldn't access the account.

I've had a system administrator role for multiple companies over almost 15 years now. I've yet to see a perfectly reliable email system.

Doing password resets over email is one thing (though I think SMS is still better). At that point, the individual no longer has access to their account anyway, and you're dealing with a much smaller number of impacted users. It's much worse to throw up your hands and say, "I don't want to deal with passwords, let's use email", especially now that there are so many good password-handling libraries for so many different development environments and numerous articles on proper password handling.

0 comments

smeyer7y ago

Can you expand on your preference for SMS password resets to email password resets? As a user I prefer email, but I'm biased by the fact that I used email for a decade before I had SMS and I've had a malicious actor gain control of my phone number and receive SMS on it but never had the same with email.

thaumaturgyOP7y ago

Sure, it's basically just down to those problems with email deliverability. As you correctly point out, SMS isn't a perfectly secure solution either; however, I almost always receive an SMS for authentication within a few seconds to a minute, and only in a few cases have never received the message at all.

If text messages were abused to the degree that email is, and all kinds of different things were developed to try to "solve" that abuse (as has happened with email), then deliverability would suffer and it would be a coin toss for which approach to use.

davchana7y ago

Would you please elaborate how someone took over your phone & sms? This is my nightmare..

j / k navigate · click thread line to collapse