[FlamingMoe]

He mentions these 3:

"- Every email address that exists out in the world is now wrong. - Every piece of marketing material is now incorrect. - All of the SEO is gone."

but it seems to miss even the biggest one, which is that you are effectively locked out of any online business accounts, your bank, your crm, anything that says "we noticed an unusual login, please enter the code we just sent to your email to verify the login."

[ryukoposting]

Yep. Binding 2FA flows to email is risky business for a lot of reasons, but registrar incompetence might be the spookiest thing of all.

[miladyincontrol]

Same reason I dislike SMS based 2FA, or worse SMS/email based 1FA codes.

You dont truly own your cell number or domain. Meanwhile passkeys are certainly hardware I own, likewise my TOTP codes are stored and calculated locally.

[relaxing]

Really toxic security anti-pattern.

I’m locked out of my 20 year old wikipedia account because they instituted 2fa without asking and my email on file was no longer valid.

[hdjrudni]

Ouch. That's worse than the reddit accounts I lost for a similar reason.

Nearly lost a dozen other accounts when I moved from Canada to US and changed my phone number. Fortunately I had to foresight to pay about $1/mo to transfer my Canadian number to some VoiP service just so I could keep it active for scenarios like this!

[namegulf]

The cascading effect is unimaginable since everything tied to that email.

It is similar like losing phone or sim or even being in a foreign country where you can't access your number but worse.

[simultsop]

exactly, few years ago I was thinking to bind all on domain email, thinking when I own it, I can host anywhere and seemed best option. After thinking it through, had to stick to a gmail, again. Due to the possible catastrophy scenario!

Luckily in EU, they still hardly depend on presencs validation, therefore all these sorts of errors can be resolved in couple of hours.

[lukebouch]

That’s such a good point I didn’t think about!

[merlindru]

Also huge opportunity for scams etc if this ever was a targeted takeover type thing. Emails and other stuff go to the same domain, and an impostor could just keep answering correspondence like nothing had happened

And even worse, if I wanted to take over npmjs.com tomorrow and godaddy would kinda... just hand it over (?!?!?!) then i could probably become a crypto billionaire overnight