[BystanderX]

Because it's not the "default" identity provider, it's the "fallback" identity provider. They're trying to define a open standard which would end up with any number of identity providers. The goal is something that can bootstrap the system into usage.

As far as what to do about users? You can't fix the problem. Nothing is going to be 100% secure, and the flesh is always going to be the biggest weakness if the machine has been well designed.

If you really want conjecture on it, though, I would suggest you first ask "Is this something tied to a citizen's identity, or a online identity?", because most things that process fiat currency in any capacity will fall into the former, and should probably merit a recovery system outside of email.

I would argue, however, that anything falling into the latter and should be handled with email.