[Freak_NL]

This was already happening, unfortunately. The user's mail agent is deemed untrustworthy (and so is the user), so every service which needs to send confidential data just turns your email into a notification with a link. There are so many of these, but often they are limited in scope. For sectors like healthcare you have companies offering this type of service to companies which need to adhere to security theatre standards such as ISO 27001, and because nations often have their own added requirements for specific sectors (think HIPAA in the US or NEN 7510 in the Netherlands) these services tend to remain focussed on single countries.

Then there are the national governments and things like insurance companies. All happily sending message notifications where you need to sign in to their own portals.

Securing email is too complex, so everyone builds their own secured portal thingy, and your mailbox has become a receptacle for notifications. Figuring out a solution would require cooperation, pragmatic lawmaking, and giving up those nice cashcows of moated portals, so it won't happen.

[bob1029]

I struggle with how the secure email solutions are inherently more secure than just dumping the pdf or ticket details in the email body.

Every vendor's secure email portal I have ever used was ultimately authenticated using my email account. Any one-time passcodes are sent to the same email. Password recovery? Email. If a malicious user is on my PC or otherwise intercepting my mail, they could access 100% of the solutions I've got access to right now.

[bigthymer]

I always understood it as, the email with link notification thing started as soon as email providers began regularly scanning users' emails. Before then, an email included all the information you needed without having to login to another site.

[Numerlor]

You usually keep old mails around that malware can then silently forward, this is a problem for unencrypted data. To authenticate through email, even if possible, there are hoops the attacker would need to go through and you'd likely be notified of e.g. a password reset mail

[philistine]

We could integrate expiry dates for emails after which they get deleted. That's feasible.

[dvdkon]

I don't think that's true for my bank or Czech government services. Plenty others do practice "security by email", though.

[smileybarry]

Yep, while I like moving all snail mail to email, I hate that (almost) every single service now just sends a "monthly/quarterly report now available in your account area!" email. A rare few of them at least offer the option of just sending it attached (with the default being a useless reminder email), but most are essentially a chore, because nearly everything here uses phone+2FA as login rather than a password or passkey.

[OptionOfT]

For that reason I actually have decided to get everything via snail-mail.

When BofA sends me a new statement I need to:

    * click on the link in my inbox
    * wait for the email-provider to scan the email (and Office 365 does sometimes tell me they can't scan the link)

(either)

    * Enter my username & password
    * Select that I want my 2FA via call or text
    * Wait for the call or text to arrive
    * Enter it (now I'm signed in)

(or)

    * search my house for my YubiKey
    * lean over to insert YubiKey
    * click cancel on the Windows popup for the passkey
    * click cancel on the Bitwarden popup for the passkey
    * click Physical key on the Chrome / Edge popup for passkeys
    * put in YubiKey pin
    * lean over again to physically touch YubiKey

(end)

    * Click no on the next credit card offer
    * Navigate to Credit Cards
    * Click the Credit Card
    * Click Documents
    * Click current statement

or

when I'm on my walk (which I do anyway)

    * insert key in mailbox
    * (no delay) open mailbox
    * (no delay) take out letters
    * (no delay) close mailbox
    * (no delay) remove key
    * walk home
    * open statement
    * validate statement
    * trash statement

Even with passkeys there are too many where the flow can / purposefully is interrupted.

[LexGray]

Passkey does seem like it should include functionality to encrypt and sign all email and SMS automatically. A missed opportunity.

[fn-mote]

> because nearly everything here uses phone+2FA as login

Here in the US we only wish things were that secure.

Unless by 2FA you mean “code sent via SMS”.

[smileybarry]

Sadly I mean "code sent via SMS", which is one reason why I haven't automated much of the retrieval for these things.

[irq-1]

> The user's mail agent is deemed untrustworthy (and so is the user)

Bluesky follows this pattern for the benefit of the user. The internet tradition has always been: if you want to control it, you have to host it.

[Dylan16807]

> if you want to control it

In the context of sending a secure message, the sender maintaining control goes in the negatives column. At best it's a compromise in exchange for specific security features.

[modeless]

I hate this so much. I will pay for a service that takes all these content-free messages and goes to the website and logs in and extracts the actual message content and puts it in my inbox. Anyone want to make that?

I actually think there is a more general opportunity here with AI. Every app and website and UI I use is optimized by a gaggle of PMs to achieve business objectives that don't necessarily benefit me. AI is getting to the point where soon it will be able to use these non-aligned UIs for me, and present to me a much simpler UI customized just for me, that does what I actually want and no more.

[jack0813]

You can probably do this fairly easily already, like this:

- Fetch your emails using any of the common local mail sync tools

- Some processing to clean up the plaintext version, may not be necessary even

- Send it to an LLM to extract a link

- Open up a headless browser, trigger something like SingleFile to extract its content.

Though you'll have to keep the cookie refreshed, but if it is initially logged in, this should be fine since you can also program something to keep refreshing every once in a while.

[tshaddox]

Not that I love any of those particular secure document web services, but I do vastly prefer web pages and URLs for retrieving documents and would happily live in a world where email was a receptacle for notifications.