[dcaunt]

I think a lot of it comes down to this:

"4. Some of the biggest companies in the world have security that is only as good as a minimum-wage phone support worker who has the power to reset your account. And they have valid business reasons for giving them this power."

[jtheory]

It could be greatly mitigated by automating that power more.

E.g., "No problem, I can reset your password! The system will automatically contact your registered phone number and email address -- if you confirm both, it resets now, and if you can't, it will send the reset to your new email 3 days from now."

[eric_the_read]

Now all an attacker has to do is wait for me to go on a cruise, or camping trip, or basically take any action which means I'm out of communication for a week or more.

[coldpie]

It's a change from near-zero security like now, to having to know your routine, travel, and communication plans. Perfect? No, but what is?

[jtheory]

Well, yeah -- I said "greatly mitigated".

I can't think of the last time I was completely cut off from both phone and email for more than 3 days. Can you? I travel around the world regularly enough (I was in Malaysia in November; I'll be in Rwanda in March), but never with breaks in connectivity lasting more than 3 days.

I don't go wandering into the wilderness for more than a day trip, admittedly... but I'm also pretty sure most other people don't do that regularly, either.

[xenophanes]

so that's better than before, right?

[morgante]

Or, if requested, just never allow password resets. Period.