And then we decided that custom domains are the most professional. Which does make sense, there can only be one 'robert@gmail.com'. But, this is coupled with the idea that domains can expire, and that expiry does not appear to kill the identity that's potentially associated with the domain.
We should not be using email addresses as our primary source of identity verification in the first place. And we definitely _should_ have some way to globally declare that an identity has been compromised. Especially given our society's track record of keeping database safe from breach.
I more or less assume it is inevitable that one of my major accounts will be compromised, and that this will be able to cascade into most of my major accounts being compromised. I do what I can to protect myself, but gmail as a single source of failure makes me nervous. Using any email provider besides gmail makes me even more nervous, because they don't have the full power and knowledge of Google protecting their databases.
If you use a third party service for your email ID, the third party can ban you or like you mention - disappear and basically take your identity away.
If you rely on national ID cards, you have another set of problems.
If you rely on phone numbers, these can be sim-jacked.
If you rely on bio-authentication methods, you risk your privacy especially when the master database gets compromised.
Relying on any single source seems to be a recipe for disaster. Perhaps the solution is to have multiple ways to authenticate yourself, with different levels of credibility and to let as many of them survive as possible. Phone numbers and email IDs seem to have similar levels of credibility, but I haven't seen domain name service providers take to phone number authentication as much as I would have liked, but things are looking up. Alternatives could be backup codes, which some registrar's use if you have 2fa enabled.
This would also allow you to have multiple identities in cases where that is useful.
I've heard of various groups doing this under blockchain (of course) which is a way to solve the problem of publishing the details, but in many cases you don't really need that. It should be enough to make a key and get involved, like Bitcoin.
The issue of course is that if you lose the key(s) you have a major problem, whether they're just lost or stolen. This is probably solved with MFA but it's not a solution if that opens up other attacks.
The email market has worldwide competition, phone providers compete at a local level only. You can choose from thousands of different email providers, while phone provider choices for any given person are ~5.
The effective 'god' of domain names is IANA, which, while imperfect is more trustworthy than the 'gods' of phone numbers: local governments and telcos.
It's my understanding that these methods (TouchID, FaceID) don't actually store your thumb prints or images of your face rather they store hashes of the output. Similar to how passwords should never be stored in plain text.
Without emails as the keys to the kingdom, what would you use?
Without a global identifier for a human person (like social security in the US), how would we declare that an identity is compromised?
While I believe your ideals are well-intentioned, I think they're impractical in our current society.
I would propose that an email is the key to the kingdom, that people running custom domains and use them for email must deposit $500 in registration to do so (to ensure the domain is registered for their lifetime), and that they should be protected by a password plus 2FA with your phone being the other factor. And I propose that each person should be uniquely identifiable by an email address stored in a global publicly-accessible database.
Think Facebook login except instead of tab unrestricted entity that steals every piece of dignity it gets its hands on, its a bank or legal custodian with strict responsibilities, penalties, and insurance in case of identity theft.
PKI. Service providers shouldn't give you access to an account just because you can prove you control an email address (during a narrow and predictable time window, no less). The simplest thing would be to encrypt the relevant part of the payload (the one containing the password reset link), so resets are only possible if you can receive the email and have the means of reading it in its "true" form.
Failing that (suppose you've not just lost your password but also the ability to decrypt the contents of the message), there should be an alternative, but the threshold for proving your identity should increase. It would ameliorate a lot if it meant that people had to show up in person somewhere. E.g., I show up at either the business's local branch (if there is one) or the USPS (or...) with my photo ID. From there, an attestation is generated that you really are who you say you are, and only with that attestation will your account be unlocked.
From Ursula K. LeGuin's indispensable "Dispossessed":
“You're really much too polite for ...”
“For what?”
“For an anarchist,” she said, in her thin and affectedly drawling voice (it was the same intonation Pae used, and Oiie when he was at the University). “I'm disappointed. I thought you'd be dangerous and uncouth.”
“I am.”
She glanced up at him sidelong. She wore a scarlet shawl tied over her head; her eyes looked black and bright against the vivid color and the whiteness of snow all around.
“But here you are tamely walking me to the station, Dr. Shevek.”
“Shevek,” he said mildly. “No `doctor.'”
“Is that your whole name — first and last?”
He nodded, smiling. He felt well and vigorous, pleased by the bright air, the warmth of the well-made coat he wore, the prettiness of the woman beside him. No worries or heavy thoughts had hold on him today.
“Is it true that you get your names from a computer?”
“Yes.”
“How dreary, to be named by a machine!”
“Why dreary?”
“It's so mechanical, so impersonal.”
“But what is more personal than a name no other living person bears?”
“No one else? You're the only Shevek?”
“While I live. There were others, before me.”
“Relatives, you mean?”
“We don't count relatives much; we are all relatives, you see. I don't know who they were, except for one, in the early years of the Settlement. She designed a kind of bearing they use in heavy machines, they still call it a `shevek.'” He smiled again, more broadly. “There is a good immortality!”
Vea shook her head. “Good Lord!” she said. “How do you tell men from women?”
“Well, we have discovered methods...”
...
The five- and six-letter names issued by the central registry computer, being unique to each living individual, took the place of the numbers which a computer-using society must otherwise attach to its members. An Anarresti needed no identification but his name. The name therefore, was felt to be an important part of the self, though one no more chose it than one's nose or height.
This is the only technique I think might work till someone social engineers people at Twitter.
This way we can verify/prove our identity without handing over those markers to multiple 3rd parties.
Edit: you can do all this on namecheap pretty easily.
details: http://www.tnhh.net/posts/gcandidate-who-is-interviewing-wit...
There is nothing more frustrating when you're recovering your password and the site says we have sent you an email with no hint where and even worse sometimes they say "if that email was in our records then you should get the link" and you're wondering did that work and #1 worst is after making me solve 10 traffic lights and zebra crossings.
Because at that moment I feel it's just easier to start over and create a new account.
It's, as always, about a balance between faster user experience and more extensive security features.
I doubt it's a large portion. It costs money for each hijacked account, and custom domains I would assume are only used on a tiny fraction of accounts. The vast majority of stolen accounts I would attribute to credential stuffing.
Beyond that, it is not a company problem IMO. One of the most common uses for custom domains is custom email addresses. If a website prevented me from using it, as you propose, I would be flabbergasted.
Good practice for users in general is to use email services like gmail as thier login/account email and add thier custom domain emails in thier bio.
No thank you, I don't want a mandatory backdoor for every government that might want to claim jurisdiction over one of those large worldwide providers.
No. I have a domain precisely because of avoiding a monopoly, duoplily, oligopoly on my email. Any service that required this would have me walk. The footsteps of a single zhte415 may not be loud, but I feel, especially in tech, I would not be alone.
Great, if we do this, we've done to e-mail addresses (and domains) what we've done to phone numbers. Some phone numbers, because of the carrier serving them, are "less than" others out of some (mistaken) idea that it's easier to get a bulk-load of phone numbers from some kinds of carriers and not others.
And then, what do you do when a new provider wants to join the scene? It already takes a year of process and documentation for a new certificate authority to get into most browsers and even then the adoption will be years in the making because most devices don't get root certificate updates. What's the process like for e-mail in your hypothetical? Does Hey.com not even bother because getting buy-off from even the top 50 account-based web sites takes forever?
> Good practice for users in general is to use email services like gmail as thier login/account email and add thier custom domain emails in thier bio.
Absolutely not. The entire point for using my own domain is so my identity is not irrevocably tied to Google. When Google can, and does, nuke my account from orbit on a whim due to some perceived slight, I have no recourse. I can't even sue because of the mandatory arbitration clause they slapped in their several-thousand-word terms of service.
But when I click Forgot Password, it asks me for my username and also the email address before I can continue.
How do you get the email address hint like the article shows?
Why? I figure that's generally either for spamming or viewbotting (Re: likes, stars, etc) purposes especially on sites that don't require email verification to do things.
Ironically enough, I've been vulnerable to the described attack afterwards as I had my own domain, didn't use it much anymore, and gave it away (to a band with the same nickname). Back then, a domain was pricey, and I was poor, so...
You don’t need another discovery method after you take their Twitter account and email :)
Only for targets not on twitter.
My point is that Twitter is probably enough.
But if you really just want to compare domain names that are expiring to email addresses, you can just use one of those business bots that spammers, recruiters and sales people use, and just check emails in their database to domains expiring.
10 years limit on domain registrations seems ridiculous, we need lifetime-span registration capabilities, at least.
