> The solution to that is to make the increasingly intrusive security processes an opt in
Absolutely. A common phrase is "mechanism, not policy". The service providers should be enabling all kinds of mechanisms for account level security so users can pick what works best for them. They should absolutely not be imposing any kind of policy. That's where all the source of trouble comes from.
Only I know the threat models I care about for any particular account I have.
For some of them, preventing unauthorized access is the top priority and I'll enable geofencing, 2FA, hardware tokens.
For other accounts, availability is an absolute must and more important than anything else so for those I'll just have a strong password.
Only I can possibly know the correct answer, so for a service provider to come in an impose their policy on my requirements is fundamentally wrong.
> Only I know the threat models I care about for any particular account I have.
You are not neccesarily the person being negatively effective.
Email service providers are all about reputation so their stuff isn't marked as spam. When your account gets hacked and starts sending viagra ads, you are not the one who suffers the fall out.
There are lots of email providers out there with different policies. One of the reasons gmail is popular is because of these policies.
Gmail is already a well-known spammer. Loads of spam come from Google, I see it everyday, by far the biggest source of spam I see. Unfortunately, they're also so big, with so many legitimate users, that you can't block them wholesale if you're expecting to deal with the public, many of whom have a gmail address.
Absolutely. A common phrase is "mechanism, not policy". The service providers should be enabling all kinds of mechanisms for account level security so users can pick what works best for them. They should absolutely not be imposing any kind of policy. That's where all the source of trouble comes from.
Only I know the threat models I care about for any particular account I have.
For some of them, preventing unauthorized access is the top priority and I'll enable geofencing, 2FA, hardware tokens.
For other accounts, availability is an absolute must and more important than anything else so for those I'll just have a strong password.
Only I can possibly know the correct answer, so for a service provider to come in an impose their policy on my requirements is fundamentally wrong.