I don’t usually advocate for specific products, but I’m 100% on-board with this recommendation: Stop what you’re doing, go get a ProtonMail account, and use it as the verification account for your online self! ProtonMail is much more secure than any other mail provider and is the ideal place for password resets and bank account statements. Best of all, it’s free!
Email is not secure. Even with TLS and good passwords it’s far too easy to snoop, phish, or stumble into someone’s email account. And this is especially true of our “daily” email accounts: If you’re receiving email on your phone, iPad, and computers at home and work you’re leaving yourself vulnerable to account highjacks.
There’s really no way to fix this, and it’s not Google’s fault or anyone else’s. You want your email to be accessible whether you’re at home, at work, or on the road. And it’s useful to have email alerts “bust through” your lock screen.
This is one reason email is fundamentally insecure. Since you want it to work everywhere and go everywhere, it’s designed with the lowest common denominator in mind. So email protocols are fundamentally insecure by design. It’s a feature, not a bug!
But we don’t just use email to chat and do business. We also use our email accounts as a verification factor for password resets and to receive intensely-personal information from our banks, doctors, and so on. I don’t blame these sites for using email addresses for security: Email is the only universal account, and I much prefer emailed verification than some kind of proprietary authentication, handing over even more power to Facebook, Google, or Twitter!
Get a “Backstop” Email Account
It’s time to stop mixing communication and authentication in the same email account.
The solution is simple: Get another email account for security-related functions. You can keep using your regular email for regular communication, but redirect security and financial information to a secure account.
If someone was to hack into my email, they’ll hit the Gmail account since that’s all that’s set up on my iPhone, iPad, and MacBook. When I need to change a password or verify my credentials, I manually log in to my secure account using a web browser.
Many people use another provider for this sort of thing already. I long used a quiet Yahoo account for verification rather than my familiar Gmail-powered fosketts.net address. But after the recent Yahoo hack I stopped using this account and went looking for something better.
ProtonMail is a Great Backstop
I wanted to find a new account for security and authentication that was really secure:
- Encrypted at rest with serious security on the back-end
- Support for complex passwords and two-factor authentication
- Compatible with ordinary SMTP for incoming and outgoing mail
- No need to access from ordinary applications or standard IMAP protocol
- An iOS application would be nice as long as it’s secure too
- Location in a trustworthy location and legal jurisdiction and developed by credible people
- Cheap or free and managed (so I have less work to do)
ProtonMail checks all the boxes for me. It’s a secure email account in Switzerland with end-to-end encryption developed by CERN researchers. Internet email is exchanged using standard protocols but is encrypted using per-user private keys for storage. ProtonMail staff can’t access the contents of a mailbox even if they wanted to, and Switzerland has very strong notification and review laws.
Access to each email account uses a second key, which is decrypted on the client side using the account password. Email can be accessed through a browser-based application or mobile application for iOS or Android. And ProtonMail supports two-factor authentication standards, including Authenticator.1 ProtonMail even supports encrypted and authenticated account-to-account communication, but this isn’t one of my requirements.
To be clear: You can not access ProtonMail from a regular mail client. You have to use their webmail or mobile apps. And that’s a feature, not a bug, since it means that all mail access is secure, end-to-end!
In practice, ProtonMail has worked out great for me. I can use my account as the verification email for pretty much any online service and I feel much more confident that it won’t be hacked.
Since I only use my ProtonMail account for verification and authentication, I’m not as concerned with some of the peculiarities of the service. The iOS app works great, but it’s not integrated with everything else on my iPhone like Apple’s Mail app, and I have to enter my Authenticator code fairly frequently, slowing down access. But that’s not a hassle since I only use ProtonMail once every week or so. And they support desktop and mobile notifications, so I know when I need to log in.
It’s an easy decision: Get a free ProtonMail account and use that as your verification address for important financial and social media accounts. Keep using whatever email account you like for regular communication, but don’t mix security and communication!