[pocksuppet]

A flow can either fail safe or fail secure.

Fail secure: if you lose your email, your account is forever locked.

Fail safe: if you lose your email, your account is not forever locked. But, someone else might be able to get your account by pretending you lost your email.

There are no other choices.

When the electronic door controller loses power, either the door stays locked, or the door stays unlocked. In case of a fire you want it unlocked so people can get out. But then a burglar can cut the power to get in. Doors that stay permanently locked in a power outage are only permitted in extreme cases where security is of the utmost importance. Obviously Instagram accounts aren't as important as doors in a fire.

[cortesoft]

There are a lot of other ways they could do it.

You could provide a delay feature… if you request this sort of reset, it takes 3 days, and emails are sent to the primary address every day with the count down. If your email isn’t lost, you would see these warnings.

You could let an account holder designate emergency contacts (other accounts) that are allowed to request a reset if you lose your primary email (again with a time delay to allow you to block malicious takeover attempts).

Recovery keys, security questions, real life identity proof, etc, are all other possible options, too.

[aargh_aargh]

I've seen this delay in action when logging in into an old dormant Google account. After I provided correct password (and some other details I remember vaguely - probably no phone number set and some problem with using the TOTP I set up long ago), it sent an email to the linked primary email and waited for a day to give it a chance to abort before logging me in.

The delay is quite a bother but it's surely better than account takeover. What I mind about the process is probably the lack of transparency - what combination of factors (MFA pieces, location, inactive time, ...) launches which process? I get that transparency might help attackers here but they're the ones to have the persistence to figure out the rules anyway. Smells like security through obscurity to me.

[ian_holt]

I quite like that idea also. And I would not have thought it would be that difficult to implement in most systems these days

Having 1 or 2 backup email accounts and/or an SMS sent to a registered mobile phone number seems to me to be relatively simple to implement

Along with a built-in delay, the inconvenience of having to wait is way better than losing access to critical accounts

[theknarf]

Some doors can be designed with a large push handle to unlatch from the inside while still being closed from the outside. Allowing people on the inside to escape out but not the other way around.

[pocksuppet]

May I introduce you to Deviant Ollam's talks? You can fish a wire under the door and use it to push the inner push handle.

[aryan14]

This is actually what microsoft does for microsoft accounts

If you recover a microsoft account / submit a ticket to recover it and provide correct information, the active email gets an email letting them know about the request

You can deny it, or if you ignore it for 30 days the request goes through

Seems to be the best system IMO

[faidit]

Someone has been trying to hack into my MSFT account for years. I constantly get the notifications. I can not see where they are trying from (unlike some other services that give you info about failed login attempts) nor add more security measures. I worry one day I will accidentally hit "Approve" or they will guess the 6 digit code they have tried thousands of times.

The fun part is that you can't disable OneDrive. No matter how many times I turn it off it always keeps turning OneDrive back on to put my private data in the cloud for the attackers. Of course I can't block the methods that are obviously under attack either.

And the lack of a login history view means I have no way to know if they were successful yet. Support has never been good (for legitimate users) and is basically non-existent with AI now.

[azthecx]

You can disable the email you use publicly as a login email.

I would recommend you look at some other guides before you do this but the gist is My Account > Your Account > Manage Account Information. Then you can add a new email that you do not share as your primary login email, and disable login from the email you use to send emails.

[Spare_account]

I have about a dozen email aliases associated with my Microsoft account. On the "Your info" page, under "Account info", one of them is described as "The email address you use to sign in to your Microsoft Account".

However, I can use any of them to initiate a login attempt. I have my account set to passwordless, I don't know if that is relevant (every login attempt triggers an MFA prompt).

If I click on "Edit account info" I am taken to a page where I can choose which address in the "Primary", but given that ANY of the aliases can be used to intiate a sign-in, I don't see any benefit in changing that.

EDIT: I wasn't being adventurous enough. The option to change which aliases can be used to sign in is under (surprisingly) "Sign-in preferences".

In my defence, that page wasn't loading properly in Firefox with all my privacy add-ons enabled. I was able to access it in Edge.

EDIT2: I've changed my primary alias to a newly created one. If I am still able to sign in OK in a couple of days, I will disable the old primary for sign-in. I hope I don't live to regret this!

[hyperman1]

Re Onedrive, as someone who left windows ages ago: Why not just create folders outside your user home? Create some junctions from the inside. Then onedrive gets to sync only your desktop wallpaper and any random stuf apps drop in there, and your real data is safe outside its reach.

[sheiyei]

I think the best defense against this is to delete the Microsoft account and enjoy a better life. (Unless, of course, you need it for Minecraft.)

[codebolt]

The correct thing to do in this scenario is to create a new random login alias on your Microsoft account, make it the primary login alias, and disable login for the all other e-mails tied to the account.

[aryan14]

You can view the recent activity on your Microsoft account @ account(dot)live(dot)com/Activity

Would show any logins or security info updates etc

[Ueland]

Those login attempts which trigger 2fa app does not generate a log entry if unsuccessful. Only attempts with username/password does. For some strange reason.

So there is no way to flag them as malicious and if you accidentally accept, then it’s already too late.

Pretty annoying setup.

[kenjackson]

I have the same issue. It’s absolutely stressful. Id also love some way to mark them as malicious.

[jazzyjackson]

I know they’re always changing things but I’m 99% sure one drive can be disabled with a checkbox either in “turn windows features on or off” or via group policy editor.

[the_af]

> You can deny it, or if you ignore it for 30 days the request goes through

That's a good measure, but it would fail for the attack scenario in TFA: the attacker claims their account was hacked, so presumably (if the support AI "believes" them) the notification email is compromised. If the account was hacked, you cannot let the one receiving the notification cancel your recovery attempt, which they will of course try to do. Of course in this exploit it's all a lie, but what if your account truly was hacked and your were genuinely trying to recover it?

[markdown]

1. Provide a delay of a week. 2. Notify via all addresses on file. 3. Make an admin post (by the account in question) explaining that a 2FA override has been requested. Something you and all your followers can see.

[rpigab]

I think I set up my Apple account about 14 years ago. I have no clue what I put as security answers when I was young, even though I think I have the answers, it won't accept them. I still know my password, I still have access to the email, but because I switched from iPhone to Android, I didn't use the account for years.

Now I want to log in with the correct password, because it's been such a long time, it locks me out unless I give it 2 security answers. I've tried to reset it by email, it still locks me out on next login and asks for 1 security answer, I can't find any answer, I have no clue if it's case-sensitive and details like that. I went to an Apple store, they told me to contact the support, I have contacted the support, they can't do anything. Maybe my last hope is GDPR since I'm in the EU, have the account deleted.

[closeparen]

Apple does this.

[hijodelsol]

There are definitely more shades of grey. On my iPhone I can select a close contact to be able to overturn my protection but this contact needs to have security features turned on, too. So Apple staff cannot do it, only a non publicly known person that has 2FA and encryption themselves. Add time delays, notifications, identity checks and more to it and you can make this process reasonably secure while still ensuring recovery.

[Lonestar1440]

There are no other online choices. If my Bank login goes totally Kaput, though, I can take my ID down to the Branch to get it sorted. Same with my telecom provider.

I try to only depend on services which have this property. I don't succeed.

[foxglacier]

Tech people forget how the real world has solved these problems long ago. I got access to my bank account in another country by writing them a letter on paper and having it signed by a policeman in my country then sending it in the mail. A pain and expensive but if it's important, you do it. All these old fashioned techniques are backed by the criminal justice system which can actually work when the fraudsters have to go to the police station to commit their crime.

[ipaddr]

Sounds great until you have an aging parent with a problem who can't get there. Get a power of attorney you say.. great but they won't accept unless parent comes to the branch.

This comes back to haunt you in the future.

[ajsnigrutin]

On the other hand, the best anti-scam feature for older relatives is to tell them to "go there in person". Get a call from the bank, they simply tell them "ok, I'm coming to the bank tomorrow, in person", and they're done. Scam call? Legit call? Doesn't matter, they'll sort it out at the bank.

There's a whole wide age and knowledge/competence where older people can still fall for scams (or can't know if it's legit or a scam) but on the other hand are still capable to go to whatever office/bank they need to go.

[Terr_]

Probably not news to anyone here, but partial step in this direction is to put down vetted official contact details for the institutions.

Every time someone calls to say there's a problem with your account, you ask for their name and/or extension number, because recontacting through the institution is your only good way of verifying their identity.

[donalhunt]

That works when the system is setup to allow that.

I've encountered banks that don't have that setup — hilariously one bank felt the need to cold call me about my complaint about cold calling from unverifiable numbers. When I asked how I could call them on a verifiable number, they claimed I couldn't. :/

[Terr_]

Bank-be-crazy Anecdote: I used a paper check to send money to a relative. My bank balance went down, but a week later my relative still hadn't received anything. Eventually the relative's bank said that something went wrong, and I thought: "Well, OK, I'll transfer it some other way when it gets returned to me." Except a month later it was still in limbo.

The kicker is that Bank X's website was simply... mathematically wrong. There weren't any transactions or notes to explain it, my balance was just magically smaller as the funds had never existed, last month's statement could not be reconciled with the current statement, etc. This was several thousand dollars.

I was eventually able to fix it with support, and they explained that Bank X had been bought by Bank Y, and somehow my old checkbook was still valid-enough to pull money out of my account, but somehow not valid-enough to finish the job nor to fail "cleanly."

I expressed to the representative that--while I had immense professional sympathy for the problems of mergers and system integrations--it's probably bad PR and perhaps a regulatory issue for any bank to lose track of customers' money and present them with what is either a false set of transactions or a false balance...

[kijin]

Malware on your phone can reroute your calls to the attacker. So you think you're calling the official number at the correct institution, but you're actually talking to the attacker.

[Terr_]

Well, yeah, and knowing first-aid is worthless if someone's been decapitated. :p

If some malware is that deep on the phone, able to redirect calls, then you've got much bigger problems and the attacker might not even need to trick any cooperation at all.

[sciencejerk]

What kind of malware are we talking about here? On a non-rooted phone?

[Lonestar1440]

I've done this. I'm very surprised that, in your case, the POA was not sufficient to get your business done.

I'm not sure what alternative you are proposing. This only gets much, much worse when the aging person is trying to use a password...

[zimpenfish]

> until you have an aging parent with a problem who can't get there

Or you get elected to high office and consequently getting to the branch is a bit ... faffy[0]

[0] https://chicago.suntimes.com/pope-leo-xiv/2026/05/06/pope-le...

[komali2]

> McCarthy, an Augustinian friar from the South Side who has known Pope Leo for 43 years, told the story as a reminder to parishioners that the pope “is like us,” and “a very humble guy.”

So humble that he was able to change his information over the phone by threatening directly to the president of the bank that he'd use a different bank if they didn't let him, and the president bent over backwards to meet this demand. He's just like us!

[Gigachad]

This is still less problematic than an attacker getting in and draining the funds.

[RevEng]

That's a strange one. I had to use POA for my mother in law last summer and it was straight forward.

[alexfoo]

Some companies are purposely obtuse about it.

My wife is trying to sort something with a famous Irish airline who are well known for messing people around. She has LPA/POA for her mother but rather than the airline accepting the VCode (this is the UK) the airline are requesting to see the original POA certificate which is just ridiculous. They seem to be moving a little quicker now there is solicitor involved.

Given how much back and forth there has been it's probably cost the airline more than just refunding the amount at the first request. We'll keep going to prove a point.

[foxglacier]

Try another branch. I had that exact problem and just shopped around. I think some staff err on the side of caution when they don't know what to do.

[gamerDude]

Seems like a business opportunity. Face to face authentication in every major city that can authenticate people when needed.

[bandrami]

This is actually one of the more useful services those horrible check-cashing storefronts provide.

[dzhiurgis]

Take it to the branch? Like in the 90s? What?

[CPLX]

Of course it's not binary, any more than there are two choices between "cheap" and "expensive"

The question is how much effort and authority is required to gain access through alternative means, not whether it's possible.

It's always a question of how much, insofar as kidnapping Mark Zuckerberg or winning an order from a Federal Judge are two of the possible scenarios.

[HDBaseT]

I don't think its that binary.

Using the door and fire scenario, you can have manual opening method available, just make it only available on the inside.

[dgacmu]

I'm probably out of date, but Google's advanced protection at one point did account recovery via postcard to your home address. High latency but pretty good as a fallback.

[HWR_14]

Postcards are the least secure form of mail. I would hope it uses a security envelope at least.

[itintheory]

There are many good options. [1]

[1] https://news.ycombinator.com/item?id=48321089

[eddd-ddde]

What about "go see an agent in person and use your fingerprint to prove it is you"?

[subscribed]

There's also Google fail. You have everything (including recovery emails) except the phone you had 15 years ago, and you lose your account.

[throwaway173738]

This is too simplistic. A lot of automatic door locks are just door strikes with a solenoid that is remotely actuated inside the door casing. In that model you can let people out of the building because the inner part of the door has a bar you can press that moves the door pin, which is how all door handles work normally, so there’s no “fail open” needed. You can get out, but you might not be able to get back in.

[vkou]

A compromise solution would be to fail safe with a cook-off period and a notification for any active users.

It would mean that someone can't gank an account from under you while you're using it, but you could recover it after a week if you lose access to your email.

[wwn_se]

There is a third option. Most banks here in Sweden solve this by forcing you to show up in person (with a ID card) if you loose your password.

I get that this also is technically a 2FA bypass but the cost is extreme and its really hard to impersonate someone in real life.

[sigmoid10]

How would that even work for internet companies without physical stores? Go to Menlo Park, CA to recover your account?

[stoltzmann]

Facebook already requires verifying your ID in some cases, it's absolutely feasible for them to do it online.

If it's not feasible, I can see an argument that large enough companies should be required to provide in person support options.

Facebook defintely has enough money to facilitate this.

[wasmitnetzen]

There's a lot of online-only banks who have figured this out. Do video auth, outsource it to the postal service, ...

[anilakar]

> There are no other choices.

Fail safe noisily and implement a cooldown period.