Is this new, or have online accounts never offered the ability to update your email address easily?

  • bahbah23@lemmy.world
    link
    fedilink
    English
    arrow-up
    32
    ·
    9 months ago

    I don’t know your specifics, but implementing adequate security and being mildly infuriating often go hand in hand by necessity.

    • Showroom7561@lemmy.caOP
      link
      fedilink
      English
      arrow-up
      2
      arrow-down
      5
      ·
      9 months ago

      Being able to update or rotate email addresses is a security matter, so I’d rather have that control than not.

      For example, someone mentioned that if a bad actor had access to your email, they would be able to access all your accounts.

      But I would argue that if your email address was compromised, and you needed to change the login email for important accounts as a counter-measure, this wouldn’t be an easy option. So this bad actor would have more control over your accounts (i.e. resetting passwords) than the user.

      I don’t mind implementing strong security, as it’s often done when setting up an account for the first time, getting 2fa enabled, etc. But updating an email shouldn’t be this difficult. My banks allow me to do it, but our local sporting good store doesn’t? Come on! 😂

      • bahbah23@lemmy.world
        link
        fedilink
        English
        arrow-up
        4
        ·
        9 months ago

        I’m not going to go down the route of arguing whether or not the bank should allow it to be easy to change your email address, but if somebody has compromised your email with the intention of compromising your other accounts, they are going to change the email addresses and passwords on those accounts before you have a chance to react, and you’re going to be on the phone with each one of those institutions anyway. You don’t hear a lot of this happening anyway, because it’s usually a lot safer to con somebody out of their money than it is to smash and grab out of their accounts, and probably as easy if not easier.

        As for the sporting goods store, I can imagine a couple of reasons for their decision, but it probably has as much to do with spamming your email as it does security, if it has anything to do with security at all.

        • Showroom7561@lemmy.caOP
          link
          fedilink
          English
          arrow-up
          2
          ·
          9 months ago

          but if somebody has compromised your email with the intention of compromising your other accounts, they are going to change the email addresses and passwords on those accounts before you have a chance to react

          Well, I’m only doing to disagree because it’s impossible to log into my important accounts without being notified by texted and/or being asked for a 2fa authentication.

          The way I see it, changing an email address doesn’t really do any damage, only causes inconvenience.

          I’d be more worried about changing a shipping address and using a saved credit card to make real purchases. That’s what companies should protect against, but I’ve never had to prove my residence to any of them.

          As for the sporting goods store, I can imagine a couple of reasons for their decision, but it probably has as much to do with spamming your email as it does security, if it has anything to do with security at all.

          They’re actually pretty good with NOT spamming, but I did email their customer service to ask how I can change my email address, and they asked that I call.

  • Darkassassin07@lemmy.ca
    link
    fedilink
    English
    arrow-up
    17
    arrow-down
    1
    ·
    9 months ago

    Your email is often the only method used/available to recover an account you’ve lost access too. Changing it requires absolute certainty that it is the account owner making the change.

    It’s frustrating, but a necessary evil imo.

    At least changing it is an option; many places build their account systems around your email being immutable. If you want to change it, you’ve gotta make a new account and request anything you can’t manually move be moved over for you.

    • ArtVandelay@lemmy.world
      link
      fedilink
      English
      arrow-up
      10
      ·
      9 months ago

      At least changing it is an option; many places build their account systems around your email being immutable.

      Aka: “we outsourced development, and they determined it was easiest to make your email address a primary key in the database”

    • meseek #2982@lemmy.ca
      link
      fedilink
      English
      arrow-up
      2
      ·
      9 months ago

      I have never used a single service that require me to contact support for an email change. Moreover, they email you a link to verify and if you don’t, the email remains unchanged.

      There’s literally no panic button for an email change not sure what era you’re computing in but it ain’t from the last 15 years.

    • Showroom7561@lemmy.caOP
      link
      fedilink
      English
      arrow-up
      1
      ·
      9 months ago

      Your email is often the only method used/available to recover an account you’ve lost access too.

      Unfortunately, this is a weak security practice that really is used everywhere.

      2fa helps mitigate the risk. An alternative email or even (cringe) a phone authentication is better than email recovery.

      Changing it requires absolute certainty that it is the account owner making the change.

      While that sounds good, it’s really not reality. An angry spouse, who would have access to their partner’s email address through a shared computer (for example), could easily wreak havoc by using this exploit.

      But if that partner used random email addresses and strong 2fa, there’s almost no risk.

      There’s unfortunately a fine line between too-easy access to someone’s accounts, and losing all your account if you forget the login details. I’m willing to take the latter option, because it’s less convenient for me (if that ever happens), but far better than if your data got into someone else’s hands.

      Getting back to my OP… the vast majority of these accounts are not important enough for me to even worry about account security, so not being able to change the email address is just a poor user experience. My bank was by far the easiest to change emails on! LOL

      • bahbah23@lemmy.world
        link
        fedilink
        English
        arrow-up
        2
        ·
        9 months ago

        Unfortunately, this is a weak security practice that really is used everywhere.

        This we can agree on.

  • fjordbasa@lemmy.world
    link
    fedilink
    English
    arrow-up
    10
    ·
    9 months ago

    I cant think of a single account that I’ve had to call anyone to change, as long as I had access to both email addresses (the one I was changing from and the one I was changing to).

    • Lodra@programming.dev
      link
      fedilink
      English
      arrow-up
      2
      ·
      9 months ago

      I recently changed my personal email. Updated every account I knew of (thanks Bitwarden!!). Updated about 120 accounts, closed maybe 20, and 5 or so can’t be changed.

      Of the ~120 that I changed, I think about half of them were easy to change. Not much confusion. There was a clear enough process. Etc. Most of the rest were difficult to change but I could do so on my own eventually.

      Something like ~10 accounts required emails and phone calls to support.

      A few were terrible. Things like updating my email address in 10 places for one account. Or the updates go fine but just didn’t work, requiring many repeat attempts or phone calls.

      So it’s a real problem in my experience. But not the norm. Maybe 1/10 rather than 9/10

  • mysoulishome@lemmy.world
    link
    fedilink
    English
    arrow-up
    7
    ·
    9 months ago

    I tried to ditch Gmail completely and a year later I still have some services (my kids school etc) where the Gmail email is my login even though I’ve changed the email. Not possible to change the login.

  • Confused_Emus@lemmy.world
    link
    fedilink
    English
    arrow-up
    5
    ·
    9 months ago

    I’ve run into that a few times, but usually just on financial sites or services where an attempted account hijack may be likely, and it’s ultimately a good thing. There have been one or two where it seemed entirely unnecessary though, so I get the frustration.

    • bassomitron@lemmy.world
      link
      fedilink
      English
      arrow-up
      4
      ·
      9 months ago

      Yeah, anything handling sensitive data (medical, legal, financial, etc) absolutely needs stringent and thorough processes for completely changing login information (i.e. email address). But random superfluous websites I use for entertainment or socializing? Get outta here.

      • Showroom7561@lemmy.caOP
        link
        fedilink
        English
        arrow-up
        2
        arrow-down
        1
        ·
        9 months ago

        anything handling sensitive data (medical, legal, financial, etc) absolutely needs stringent and thorough processes for completely changing login information (i.e. email address).

        Hardware-based 2fa would be nice, but it seems that these same organizations are among the only which DON’T have hardware-based 2fa and insist on texting codes, instead.

        None of them actually take security seriously, even through all of them should be!

        • bassomitron@lemmy.world
          link
          fedilink
          English
          arrow-up
          1
          ·
          9 months ago

          I agree, texted codes are not very secure and it honestly surprises me how common that quasi-2fa implementation still is. Granted, common thieves/scammers don’t typically go thru the hassle of emulating your number and generating a false sim card in order to intercept text messages meant for you. So, it’s still better than nothing, at least.

    • Showroom7561@lemmy.caOP
      link
      fedilink
      English
      arrow-up
      1
      arrow-down
      2
      ·
      9 months ago

      but usually just on financial sites or services

      Funny enough, all my banks allow me to change my email address easily through their app or website! And they DON’T offer strong 2fa, so security is the least of their priorities.

      But so many sites, like our local hardware site or G2A (for buying software keys) don’t, and I’d rather close the account (done through their website, no less!) than go through the hassle of contacting support.

    • Showroom7561@lemmy.caOP
      link
      fedilink
      English
      arrow-up
      2
      arrow-down
      2
      ·
      9 months ago

      It’s a security issue to NOT allow the updating of email addresses, though.

  • verysoft@kbin.social
    link
    fedilink
    arrow-up
    3
    ·
    9 months ago

    If I have to contact support to do any mundane change to an account, my email usually begins with ‘Delete my account’.