Keeping emails private defeats their purpose as communication address and can lead to a false sense of security instead of properly controlling passwords and multi-factor authentication.
Yes because that's the same as requiring two passwords. It's even more secure to get three or five. But using the email address serves a different purpose, people rarely forget them.
While that is of course true enough, I go to a fair amount of trouble to remove my name, age, address, etc, from public databroker sites because I value my privacy. I don't want my email going around either. Any information leakage can be used to harm me.
They're a public endpoint and are open to receiving from any other address. It's no different than your physical address. You don't use them for authentication or marketing, they're just an identifier. Keeping them private accomplishes nothing.
One major issue with email address reuse is social engineering. It's a lot harder to attack someone's account if you can't even provide the email address.
Right now if you know someone's personal email, you can be pretty sure they use it everywhere. It's not a good practice, but it's hard to understand why until you've been the target of wtf-level social engineering attacks where someone got into one of your many accounts starting with nothing but an email address they don't even control.
Of course, there are some issues with the OP's email forwarding service:
1. You have to be someone concerned enough about security to want to generate email addresses, yet you have to be cool piping them through a third party. Ouch.
2. Niche product. I didn't realize how bad social engineering could be until I started hosting bitcoin services. I've had people break in to my AWS accounts twice (with bogus information) after Amazon told me they made a note on my account and that it should now be impossible. As we speak, I cannot get into nor cancel an AWS account that someone SE'd that's charging my CC every month even though it has my CC on file. I have to issue a charge-back. It's hilarious. Amazon thinks an email is more authenticating than a CC that's been on file for years before the attacker changed the email. They literally don't even have a customer support process for this situation. 99% of people even on HN have no clue how pwned they'd be if they're ever a target.
3. It's more of a feature on an existing product than a standalone service. I'd expect players like 1Password to implement it themselves.
It’s not too hard to set up your own VPS with Debian/OpenBSD and do the email forwarding/server yourself. The key is that it’s then literally a matter of a bash script to generate and accept one-time email addresses.
You have to jump through a few hoops for gmail to accept your emails. The documentation is there.
If you’re already running a VPS for other reasons, then this is free. If you’re not, then VPSs are extremely cheap anyway.
Emails are not used for authentication. Access to an email account can be used for authentication the “reset password” approach.
Emails are an ID on most sites, that’s it. Just because you provide the email as an ID for the account you want to authenticate against doesn’t mean it’s a factor of the authentication.
