The "email is authentication" pattern

Original Article ↗ Hacker News Discussion ↗

Email as the de facto identity and “root account”

  • Many note that because almost all services support “forgot password via email,” email already is the real authentication and account-recovery root, no matter how fancy the primary login looks.
  • Email is seen as the “lowest common denominator”: everyone has it, and major providers’ security is usually better than that of random sites.
  • Concern: if you lose email access (provider lockout, domain lapses, provider shutdown), you can lose access to many accounts at once.

Magic links / email OTP as primary login

  • A growing number of sites skip passwords entirely: enter email → receive code or link → you’re in.
  • Supporters:
    • Great for infrequent/low-value accounts and B2B tools where users log in rarely.
    • Avoids password storage, password rules, and password managers most people won’t use.
    • For some funnels (ecommerce, “guest login”), this improves conversion.
  • Critics:
    • Very annoying for users with password managers; slower than autofill + TOTP.
    • Depends on timely email delivery; greylisting, spam filters, corporate scanners, and link prefetchers often break or delay the flow.
    • Painful when email is on a different device than the browser/app.

Phones, SMS, and other authentication options

  • Broad agreement that phone numbers are weaker than email (SIM swap, carrier social engineering, SS7 issues).
  • SMS 2FA is seen as convenient but fragile; some prefer TOTP/authenticator apps or passkeys.
  • Some argue that “2FA” is hollow if password reset via email bypasses it.

Government / bank / postal digital IDs

  • Several countries’ schemes (national e-ID, BankID, login.gov-like systems, postal-service IDs) are discussed.
  • Pros: strong recovery channel, in-person recourse, possibly pseudonymous per-site tokens.
  • Cons: privacy, central tracking, exclusion of unbanked/non-citizens, complex onboarding, and heavy regulation; concerns about putting even more power in governments and banks.

Human factors, recovery, and crypto analogies

  • Strong theme: any auth scheme must handle loss and recovery for normal humans; “lose key, lose everything” (as in self-custodied crypto) is seen as incompatible with mass adoption.
  • Secret-sharing / “panel of peers” recovery is debated: theoretically good, but UX, phishing, and real-world coercion risks are highlighted.
  • Many see backup discipline and key management as beyond what most people will reliably do without very opinionated, guided UX.