The security vulnerability isn't with the websites (LinkedIn, Facebook, etc) - it's with you (not keeping your email addresses up to date) and the organisation that is repurposing your email address.
Having multiple email addresses associated with your account wouldn't significantly increase the attack surface (apart from increasing attack surface for phishing and the like).
I can't recall GitHub doing this, but LinkedIn definitely encourages one to enter lots of addresses without thinking about the security implications of losing control of one of them. They do that for cynical reasons: the more addresses they have, the more cross-referencing they can do.
But like I wrote: I cannot know when an email address gets out of my control. When I quit a job sure! But not when someone gains access, not when that mail gets recycled (or mistakenly taken as an alias - re:my dilemma in the post)
Even if I kept two email addresses, resetting a password should have more steps than just "click this link once" in any of those inboxes.
An impassioned article, but the ultimate takeaway is that websites that accept ownership of an email address as some sort of identity proof do not operate optimally when you lose control of any associated email addresses. So, stick to one or two email addresses not generally subject to organizational appropriation, and accept that we don't have the tools for stronger authentication for this class of website at similar cost.
Too impassioned for my own taste but that's how it was in the spur of the moment. I still cannot understand what through their mind making it so easy I have never reset a password, only changed it on one of these services where I have 2FA enabled and I expected them to make use of 2FA! Like it is today, it is harder for me to change my own password (enter email and password, enter 2FA code, go to settings, enter password --- again only password ---, change password) than to reset it (enter email, click link in my inbox, change password)
9 comments
[ 3.1 ms ] story [ 21.3 ms ] threadHaving multiple email addresses associated with your account wouldn't significantly increase the attack surface (apart from increasing attack surface for phishing and the like).
Even if I kept two email addresses, resetting a password should have more steps than just "click this link once" in any of those inboxes.
To the OP: You probably mean exponentially here? O(log n) would be much better than O(n)