On Sun, 2020-02-23 at 07:40 -0800, Roger Marquis via mailop wrote: > Perhaps more interesting is the fact that the vast majority of ESPs don't > even think about obfuscating _usernames_. Are there good reasons to use a > well known string like the email address for half of a credential? While not > the default it doesn't take much additional configuration to allow users to > define their own MUA username which doesn't (and IMO shouldn't) have anything > in common with their email address/es.
Technical support is the primary reason why ISPs don't obfuscate the username into something difficult and hard to remember - like a password. SSO using the email address as the username is the only practical way to scale an email service where the end-users are assumed to be non-technical. At the most basic level, forgetting their username means they can't open a support request which means a telephone call to support desk. Implementing measures like 2FA along with policy based authentication is the way to prevent this type abuse is a scalable manner. Ken.
_______________________________________________ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
