Jesus fucking christ. Stop making websites accept anything other than a username+password/token for authentication, and this kind of retarded shit would never happen. It's somehow still the status quo to make backdoors to recover your account incase you lock yourself out, which is why things like this happen all the time. You get what you deserve.
This is great in theory, but in practice your regular customers are going to lose/mix up their usernames and passwords all the time.
They need some kind of back door to recover their access (because honestly, even for the responsible and tech-savvy users, sometimes sh!t happens... e.g., my password manager generated a new password but my laptop crashed before I could save it), and they assume there will be a way to restore their account.
I'm sure you could tell your customers "you get what you deserve", but not if you want them to remain customers.
Gee, you're going to have a hard time with bitcoin, hidden tor services, etc.
A) Customers locking themselves out of accounts
B) Accounts being stolen by identity theft
Pick one.
> I'm sure you could tell your customers "you get what you deserve", but not if you want them to remain customers.
I kill people for a living. You can tell me I could stop killing people for a living but then I'd stop having customers. Thus it's impractical to stop killing people.
Ironically, HN itself so happens to do it right - it permits you to have only a user/password. Reddit is the same, so is github, stackoverflow. I've never heard of pervasive problems on either of these sites. I don't submit my email to these sites, and they work fine.
Please continue to call common fucking sense idealism. Look how shit any other site besides the 4 (and others like them) I mentioned are with their fancy policies. How can anyone not rage when such stupidity is forced upon us?
Even if customers are scatterbrained and unwilling to accept responsibility for themselves, it's still better to keep them on board and making money than trying to teach them a lesson out of principle that probably won't even stick.
How well any policies are actually thought through is another matter.
Yes, because users would hate so much to be told explicitly that all they need to remember is a password. They much rather have 20 different pieces of information, some combinations of which if they share, people can take over their accounts on various services. </sarcasm>
The problem is not so much that the systems suck, the problem is there's no way for people like me to take on the responsibility and "risk" of just having a simple way to authenticate myself.
For example, in my bank I would opt into having all "suspicious transaction" types of protections turned off, but if I went to my local branch and asked for that, they'd just get confused and think I'm trying to commit fraud.
> it's still better to keep them on board and making money
Maybe better for you, assuming there would be a net loss from turning off the bullshit policy. Definitely not better for customers, as it enables theft, which has the same consequence as forgetting a password.
It doesn't have to be a mess of ill-thought-out questions. Just a traditional password reset email is a good facility, as opposed to "forgotten password? your account is forever locked, you cretin. don't even think about contacting us".
I have a good backup system so it's not that I use such stuff personally either.
Well yes, I would much prefer that to sending in a picture of my drivers license, only logging in from one IP address, etc. This only really happens with financial sites.
For normal sites, before there were captchas, they required email to sign up, in order to deter spam. Then when they got captchas they still required both, probably because they were thinking "oh yes 2 is better than 1", even though email verification does not deter spam one bit these days. On the other hand, in more recent times you now have all these sites requiring email for recovery. You can see where the dogma came about.
I myself would absolutely never want email recovery, simply because it links the accounts together unless I make a separate email for each, wastes my time (I never lose my passwords, and they are unique for every account), and now the email provider has access to my account.
If this isn't bad enough, facebook, google, and pretty much every mainstream email provider now require a cell phone to sign up, and sends a verification code to your cell (this may be because I use tor).
It only seems to be going downhill. There's no reason not to be infuriated.
On the upside, South Korea recently abolished its law that users should use their id online:
