I've always found the common approach that websites take to changing the email associated with an account iffy but I am not sure if I am wrong
I have changed my email more than once, just as part of customizing my online identity and all that.
and that obviously required me to login into any accounts I had and updating the email associated with them.
the most common workflow I have found is
login -> navigate to settings page -> edit the email field to the new email -> go to the inbox for the new email -> click confirm on confirmation email
then you can go to that website and do the forgot password, provide your email and change the password and get complete control.
I have always found that workflow weird cause it's the most prevalent one I have come across and seems so susceptible to tampering.
if someone leaves their laptop unattended for 3-4 minutes in public while visiting a bathroom (which happened often in the library of my university), there was nothing preventing me from going to their Facebook or whatever account they had open on their computer, changing the email to my own email and then clicking confirm on my inbox once I am back at my desk.
and most people don't have 2FA so that would effectively give me control of their account.
Hell, my university once had a potential data breach and they were 99.999% sure the data was not actually accessed by a malicious actor but still sent a mass email saying that they were advising everyone to change their passwords. a classmate of mine in the software systems program's attitude was basically "oh well, who cares?" and I just facepalmed internally.
there are maybe 3 websites I have come across that instead first send a confirmation email to your current inbox and after you confirm on that, then you get a confirmation email on the new email inbox. which isn't perfect but I feel like it's a bit more sensical and the best you can do without involving 2FA.
even then, that's also susceptible to the situation I described above if the user is always logged into their email.
I find it odd that websites don't prompt for a password as part of the email update process (or better yet 2FA with an app as even prompting for a password isn't a guarantee if the user has the password manager as an extension in their browser and they recently unlocked it before leaving their session unattended) to ensure that email changes are always done by the account owner.
No, you're correct, and for the reasons you've outlined. Most websites these days don't seem to understand what an identifier (or even an identity) is, in one way or another; it's just "one thing our
productsusers need to provide so they can log in," and not much beyond that. Most companies don't think about what it means to update an email.Hell, one thing that I've noticed is that a lot of companies are beginning to not even require email confirmation for registration. I've got a lot of spam messages from people registering with an older email of mine, and the services actively allowing it and letting them use it despite no confirmation on my end. (Cloudflare, Duolingo, Match, and some cryptocurrency-related sites are the ones that immediately come to mind, but I can probably search for more.) I feel like it's part of the decline of modern software development, and how modern engineers don't really understand what they're doing.
No, it's how modern engineers are told by marketing and sales, and therefore the business as a whole, that the hurdle to account creation is losing out on X units of money per year from potential customers and causes Y units of money per year in customer support issues. X is greater than Y, so add the feature or be replaced by someone who will.
Hot take: Engineers abdicating their engineering responsibilities and giving them to people who don't understand what they're doing falls under the "don't really understand what they're doing" umbrella.
Fair enough. I will fall under that umbrella as long as my family's healthcare is reliant on me pledging allegiance to the whims of the company.
At many companies, engineers can't give away their agency to make decisions like that because they don't have it to begin with. Their only choice besides doing the work is to quit.
It's like blaming doctors for a broken healthcare system. They play a part, but if they refuse to do their job the system will just give their paycheck to someone more amenable.
Perhaps if software engineers were more often unionized it would be different.
For a couple of years I was getting email updates on some person’s spending as a result of them registering a Rocket Money account with my email address, which apparently requires no confirmation. I emailed Rocket Money about this and asked them to prompt the user to fix their email address and they just shrugged and told me to block Rocket Money emails with my mail client.
This left me somewhat flabbergasted. How can you be so nonchalant about emailing the wrong person private financial information?!
The emails stopped eventually, I guess because this person stopped using the service, but it shouldn’t have been possible for that to happen in the first place.
My reply would be: If you won't resolve the issue on your end, I'll send the emails I've received so far to (some tech journalist) and set my mail client to automatically forward any new ones.
I probably should’ve done something like that, but it didn’t cross my mind at the moment.
If the attacker has physical access to your device and you don't have 2FA, you're kinda screwed anyway?
Let's say you required a password to change the email. All the attacker needs to do is change your password with the "I forgot my password" option, and... yeah now they have the password to the account, so they can change the email anyway.
are you agreeing with me?
I think they're agreeing but stepping back and pointing out that the attack vector you're describing (someone already has control of your device, whether because of a backdoor or you left it open in the library) undermines a lot of common auth patterns. Not just changing your email.
2FA is meant to solve that, but even that is vulnerable to the same problem (you left your laptop unlocked and your phone unlocked next to it). I guess there's always 3FA.
I'm disagreeing, I don't think there's any point in requiring a password for email changes. It doesn't add any additional security in this scenario, and just adds more friction for normal users.
It's more the fact I think that once someone has physical access (esp to an unlocked/logged in device) it's almost an "all bets are off" kind of situation- a lot of other security collapses
Physical access to a logged in device is already such a "handed someone else my house keys then complained that they got into my house" situation, such a high risk scenario and poor enough personal security to an extent that I don't think we should expect the onus on protections in that situation to be on websites/companies/etc
Friction is good and could improve situations but could also add speed bumps for users, and there is always a trade-off of security and convenience and everyone is striking that balance in some way. I personally think you can swing too far in either direction
If we tried to perfectly predict and protect from every possible security angle without any convenience tradeoffs, things would get so maddening to use that it would create more problems (and sometimes inadvertently create new security problems). Just like forced password rotations every X days in some environments can actually lead to worse security because people forget them so often and get so inconvenienced that they make poorer decisions to remember more easily, etc
imo the danger of leaving your computer logged in while you walk away (don't do that!) is not nearly as bad as the danger of losing access to an account because you lose access to your email address. I think prompting for password on sensitive account updates is plenty.
I never said losing access to non-email address accounts is as bad as losing account to email address accounts.
I just said the workflow for non-email address accounts is basically not secure at all imo.
I have an email I can't access anymore and fear encountering a website that requires sending an email to the original one. I'm pretty sure I updated it for all the most critical accounts, but the worry is still there. I have a similar worry about any accounts my dad made. We don't know his password so we can only access it on his phone, and there's not really a way to find every site he made an account for. I fear his phone may one day log out of the email, and only then will we discover some vital account was tied to it.
Asking to reenter a password still leaves security holes if the intruder got the website account's password instead of physically accessing the device, but there are ways to counter that. Like including a link to report "this wasn't me" in the email change notifications sent to the original address. That method creates some new holes, but honestly, I don't think there's any fool-proof approach that both guarantees account security, and also that the account holder will have zero risk of losing access due to external factors (e.g. if the device with 2FA is destroyed/lost).
The websites can only handle so much of the account security. After a point it's left to the user's actions and decisions.
I do agree to a point but
You can do a lot more damage if people leave their device unlocked. Physical access effectively undoes most security as you could also install a keylogger in three minutes. It is the whole reason why 2fa is so important.
Judging by your other posts recently, you are in the progress of delving deeper in these areas. With it, you will come across a lot of these realizations. The thing is that security isn't an absolute and basically a balancing act of tradeoffs against convenience. If we want to lock down things enough that they are 99% secure, we probably can. It also means making a lot of things difficult to use to the point that for many people it becomes too inconvenient to even consider using a lot of services. This is likely why 2fa isn't a hard requirement for many services, as there are commercial motives involved and companies don't want to chase away too many potential customers.
That's not to say that there isn't room for improvement, but as someone who has been active on the internet since the late 90s today's internet is already much more secure.
For example, while your flow does likely work for many websites a lot of them these days also send an alert to the old email address with an option to undo the damage. But more fundamentally to just give you an idea where came from:
Again, not saying that things are perfect now. But, compared to where we are coming from things are already much more secure.
I like what GitHub does, where it requires a refresh of the pass key or a fresh 2fa auth if you try to make important changes to anything.