Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I think this just helps make it even more painfully obvious that email is the single point of failure for the vast majority of web site authentication security. This takes out a step, but it doesn't change what is already possible for an attacker to do.

Proposals for browser plugins and special protocols that use email for authentication have been around for a while too. It's just a matter of mainstreaming them. Which I hope never happens until we make sure email is as secure as a password manager.

I personally would like to disable the ability to reset my password via email on every one of my accounts (and disable resetting by "security questions" too.). I have all those passwords in my password manager, backed up on all my computers, an external disk, and the cloud. I won't need to reset my password. (Except when the service provider forces me too, like Dropbox recently did.)



Consider applying for YC's Fall 2026 batch! Applications are open till July 27.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: