Changing email provider in the age of 2FA

illustrations illustrations illustrations illustrations illustrations illustrations illustrations
post-thumb

Published on 10 March 2022 by Andrew Owen (4 minutes)

Changing email provider is simple, right? Wrong. After the week I’ve had, I think there’s an argument that you should be able to transfer your email address to another provider, just like you can with a cell number. Of course, there are technical impediments to this. But I can foresee a future where your email address is unique to you and isn’t tied to the service provider’s domain at all. Or maybe we’ll all just use a DNA reader to log in.

If you’ve ever had to change your cell number, you know that can be a pain. But with so many websites now using email for two-factor authentication, if you were to lose access to your email, how bad would that be?

Hopefully you’ll never be in the situation I found myself in. I had over 200 online accounts linked to my primary email address, and there was a credible risk of me not being able to access that email from the end of the week. While I’d still be able to access my accounts, if I had to do a password reset on any of them I’d be out of luck.

With the rise in cyber crime (I got an extortion email that I traced back to an Azure cluster in the US while I was doing the update), two-factor authentication has become the norm. For older accounts where they don’t have your cell number, they fall back on using your email address. So if there’s a problem with your account, such as it being deactivated due to lack of use, you’ll need access to your email address to reactivate it. Which means, you want to make absolutely sure that your email provider isn’t going to disappear. What I should’ve done was set up mail forwarding from a domain that I own the rights to. But that would’ve taken extra time and I had a hard deadline approaching.

Friends were surprised by the number of accounts I had to change, but I suspect there are two reasons for this. First, I registered almost all the accounts before single sign-on with services like Facebook and Google was available. Second, I’ve been using a password manager for nearly a decade, so I have a comprehensive list of all the sites I’m registered with. I suspect it’s not uncommon for people to have this many accounts, it’s simply that they’ve forgotten about them and their personal identifiable information is sitting out there waiting to be harvested.

Because email is now commonly used for two-factor authentication, most sites make it difficult or even impossible to change your email address. This is particularly true of financial institutions. As a result, I spent a lot of time on calls to customer support. I’m pleased to say that every single person I dealt with was really helpful.

Aside from all the online accounts, I also had to deal with a vast number of mailing list subscriptions. I rarely have time to read all the emails I get as it is, so aside from one or two lists that are important to me, I unsubscribed. All told, I think it took me about 32 hours of time to get it all sorted. But on the upside, all my details are now up-to-date on every site, and I was able to get rid of about 20 dead sites from my list.

One thing that sped things up was that I didn’t have to download 23 years of emails, because I’d already set up a Roundcube mail server on my NAS drive that automatically offlines my emails (and is backed up to local and secure remote storage). And the moral of the story is, before you name your child, think about what their email address should be and then register it with a provider you expect to still be around in 100 years time.

Afterthought

As it happened, it wasn’t Russia that cut me off from my email provider, it was my own ISP. Fortunately, I’m still able to access the account using my cell phone over 4G. This was important because of course I didn’t have every single account registered in my password manager. And then later in the year the password management service I used suffered an intrusion and a lot of people abandoned the service. The lesson there is to not use weak passwords, especially those containing dictionary words or substitutes, for your master password. And don’t reuse passwords. Personally, I’d rather use a password management service that’s upfront about it when there’s an intrusion than one that claims to have never had an intrusion.