Is this new, or have online accounts never offered the ability to update your email address easily?
I don’t know your specifics, but implementing adequate security and being mildly infuriating often go hand in hand by necessity.
deleted by creator
Being able to update or rotate email addresses is a security matter, so I’d rather have that control than not.
For example, someone mentioned that if a bad actor had access to your email, they would be able to access all your accounts.
But I would argue that if your email address was compromised, and you needed to change the login email for important accounts as a counter-measure, this wouldn’t be an easy option. So this bad actor would have more control over your accounts (i.e. resetting passwords) than the user.
I don’t mind implementing strong security, as it’s often done when setting up an account for the first time, getting 2fa enabled, etc. But updating an email shouldn’t be this difficult. My banks allow me to do it, but our local sporting good store doesn’t? Come on! 😂
I’m not going to go down the route of arguing whether or not the bank should allow it to be easy to change your email address, but if somebody has compromised your email with the intention of compromising your other accounts, they are going to change the email addresses and passwords on those accounts before you have a chance to react, and you’re going to be on the phone with each one of those institutions anyway. You don’t hear a lot of this happening anyway, because it’s usually a lot safer to con somebody out of their money than it is to smash and grab out of their accounts, and probably as easy if not easier.
As for the sporting goods store, I can imagine a couple of reasons for their decision, but it probably has as much to do with spamming your email as it does security, if it has anything to do with security at all.
but if somebody has compromised your email with the intention of compromising your other accounts, they are going to change the email addresses and passwords on those accounts before you have a chance to react
Well, I’m only doing to disagree because it’s impossible to log into my important accounts without being notified by texted and/or being asked for a 2fa authentication.
The way I see it, changing an email address doesn’t really do any damage, only causes inconvenience.
I’d be more worried about changing a shipping address and using a saved credit card to make real purchases. That’s what companies should protect against, but I’ve never had to prove my residence to any of them.
As for the sporting goods store, I can imagine a couple of reasons for their decision, but it probably has as much to do with spamming your email as it does security, if it has anything to do with security at all.
They’re actually pretty good with NOT spamming, but I did email their customer service to ask how I can change my email address, and they asked that I call.
Your email is often the only method used/available to recover an account you’ve lost access too. Changing it requires absolute certainty that it is the account owner making the change.
It’s frustrating, but a necessary evil imo.
At least changing it is an option; many places build their account systems around your email being immutable. If you want to change it, you’ve gotta make a new account and request anything you can’t manually move be moved over for you.
At least changing it is an option; many places build their account systems around your email being immutable.
Aka: “we outsourced development, and they determined it was easiest to make your email address a primary key in the database”
I have never used a single service that require me to contact support for an email change. Moreover, they email you a link to verify and if you don’t, the email remains unchanged.
There’s literally no panic button for an email change not sure what era you’re computing in but it ain’t from the last 15 years.
Your email is often the only method used/available to recover an account you’ve lost access too.
Unfortunately, this is a weak security practice that really is used everywhere.
2fa helps mitigate the risk. An alternative email or even (cringe) a phone authentication is better than email recovery.
Changing it requires absolute certainty that it is the account owner making the change.
While that sounds good, it’s really not reality. An angry spouse, who would have access to their partner’s email address through a shared computer (for example), could easily wreak havoc by using this exploit.
But if that partner used random email addresses and strong 2fa, there’s almost no risk.
There’s unfortunately a fine line between too-easy access to someone’s accounts, and losing all your account if you forget the login details. I’m willing to take the latter option, because it’s less convenient for me (if that ever happens), but far better than if your data got into someone else’s hands.
Getting back to my OP… the vast majority of these accounts are not important enough for me to even worry about account security, so not being able to change the email address is just a poor user experience. My bank was by far the easiest to change emails on! LOL
Unfortunately, this is a weak security practice that really is used everywhere.
This we can agree on.
I cant think of a single account that I’ve had to call anyone to change, as long as I had access to both email addresses (the one I was changing from and the one I was changing to).
I recently changed my personal email. Updated every account I knew of (thanks Bitwarden!!). Updated about 120 accounts, closed maybe 20, and 5 or so can’t be changed.
Of the ~120 that I changed, I think about half of them were easy to change. Not much confusion. There was a clear enough process. Etc. Most of the rest were difficult to change but I could do so on my own eventually.
Something like ~10 accounts required emails and phone calls to support.
A few were terrible. Things like updating my email address in 10 places for one account. Or the updates go fine but just didn’t work, requiring many repeat attempts or phone calls.
So it’s a real problem in my experience. But not the norm. Maybe 1/10 rather than 9/10
I wish!
I tried to ditch Gmail completely and a year later I still have some services (my kids school etc) where the Gmail email is my login even though I’ve changed the email. Not possible to change the login.
I’ve run into that a few times, but usually just on financial sites or services where an attempted account hijack may be likely, and it’s ultimately a good thing. There have been one or two where it seemed entirely unnecessary though, so I get the frustration.
Yeah, anything handling sensitive data (medical, legal, financial, etc) absolutely needs stringent and thorough processes for completely changing login information (i.e. email address). But random superfluous websites I use for entertainment or socializing? Get outta here.
anything handling sensitive data (medical, legal, financial, etc) absolutely needs stringent and thorough processes for completely changing login information (i.e. email address).
Hardware-based 2fa would be nice, but it seems that these same organizations are among the only which DON’T have hardware-based 2fa and insist on texting codes, instead.
None of them actually take security seriously, even through all of them should be!
I agree, texted codes are not very secure and it honestly surprises me how common that quasi-2fa implementation still is. Granted, common thieves/scammers don’t typically go thru the hassle of emulating your number and generating a false sim card in order to intercept text messages meant for you. So, it’s still better than nothing, at least.
deleted by creator
but usually just on financial sites or services
Funny enough, all my banks allow me to change my email address easily through their app or website! And they DON’T offer strong 2fa, so security is the least of their priorities.
But so many sites, like our local hardware site or G2A (for buying software keys) don’t, and I’d rather close the account (done through their website, no less!) than go through the hassle of contacting support.
Man that does sound mildly infuriating.
I wish it was easier sometimes, but it can be a security issue.
It’s a security issue to NOT allow the updating of email addresses, though.
If I have to contact support to do any mundane change to an account, my email usually begins with ‘Delete my account’.
Security measures, most probably.
