Treating Email More Like a Password Manager

There is a natural tendency that communication tools, which never meant to be security devices, end up being used heavily for security purposes. This happened to both emails and mobile phones. You know, SMS to a mobile phone is still sometimes the only option for a second factor authentication, despite a lot of evidence that it's a very bad idea due to SIM swap attacks (check e.g. this or this). And emails are almost universally being used to reset passwords.

I say it's a “natural tendency”, because when the need for something new arises, people obviously try to find and (ab)use something that is already available. But then it strikes back, since first of all these tools were implemented with different goals in mind; and second, even our usage patterns remain mostly unchanged. So when it comes email and phones, we keep using them as if they were only for communication.

With mobile phones, what we all should be doing is, shortly: don't use it for security whenever possible (when stronger authentication methods are available). And for cases when a phone number is the only option, consider getting a separate number which no one knows, and which is used for no purpose other than authentication.

In this article though, we're focusing primarily on email: what's the problem with our usage patterns, and what we can do about it.

Before we begin: since not all readers are necessarily familiar with the security-related slang, let me clarify some terms that I'll be using:

• 2FA: two-factor authentication, in any form. E.g. if while logging to your bank you need to not only enter the login+password, but also a code from SMS, or a code from your app on the phone, etc, this is a form of 2FA;
• TOTP: means “Time-based One Time Password”, and it's referring to a particular implementation of 2FA by means of entering a code which e.g. an app on your phone generates (such as Authy or Google Authenticator)
• Security Key: it's another form of 2FA, and in this article I mean a physical device that is plugged into computer and performs authentication using the U2F or FIDO2 protocols. It can be a yubikey or a trezor or any other device supporting that functionality.

Alright, having that in mind, let's move on.

Our email often plays two very different roles: communication with other people, and a security backdoor to almost all other services we use. Those are very conflicting roles: for communication, for example, it of course makes sense to be always logged-in on all devices that we actively use, e.g. laptop and phone. However, does this usage pattern make sense for a security backdoor? Not at all. For a tool which can reset password for any other service we use, it makes a lot of sense to treat this tool similarly to how we treat a password manager: secure it as much as we can, only unlock it when we need it, and once we're done, lock it back asap.

At this point we can realize that using the same email address for both purposes might be a really bad idea: if we do that, obviously we'd have to pick one of those different usage patterns, and predictably, we'd rather treat it as just a tool for communication, neglecting the risk of having a security backdoor open all the time.

What happens, for example, if someone malicious gets unauthorized access to your laptop? You're probably logged into your email there, therefore this guy would be immediately able to log into many of your accounts where you don't use any 2FA, by just resetting the password via email. Good thing it wouldn't be enough to get into accounts where you do have some 2FA.

Now, what happens if this guy gets access not to your laptop, but your smartphone? You're probably logged into your email there too, and your 2FA is likely on your phone as well (either a TOTP app, like Authy or Google Authenticator, or even SMS). So not only they'll be able to again reset passwords via email; most likely they'll also be able to get even to the accounts where you do use 2FA. Effectively, your phone becomes a single factor that is enough to get into a lot of your accounts.

Obviously, getting a physical access to laptop or phone is not a requirement: most of the attacks are done remotely, by obtaining credentials, or via social engineering, etc. And one more potential issue of using the same address for communication and security is that everyone that you communicate with over email knows your email address. Therefore, if someone wants to hack into some of your accounts, they already know which email account to target. Even if people that you communicate with directly aren't malicious, they might inadvertently share your email with someone who is; email addresses aren't considered secret (again because email is mostly considered a communication tool).

There are some ways to mitigate those risks: on our smartphones, we can (and should) use a security lock for the phone itself, as well as hard-to-guess pin codes for apps such as Authy and preferably even email app (Not many email apps have that feature though. From the ones that I had a chance to try out, only ProtonMail app does). It will reduce the risk, and we definitely should take all those steps regardless. But to actually address the root problem that I'm talking about here, we should completely isolate our email address(es) for communication from those for security.

To fix the issues described above, we should stop using the same email address for those very different purposes, and at the very least, use 2 different email addresses:

• Secure address: for security of the accounts that we really care about, such as our bank, brokerage, cryptocurrency exchange, domain registrar, cloud provider, etc;
• Primary address: for communication and those accounts that we specifically don't want to use the Secure address for.

I mentioned “at the very least” 2 addresses because we can break things down further, and it might indeed be a good idea to break them down further, but for now just wanted to talk about the absolute bare minimum, the first step to move away from “a single email address for everything”.

So a few guidelines for this secure account:

• This one should be obvious, but let me still mention it: first and foremost, do not forward emails to your primary email address. If we do this, it'd pretty much defeat the purpose: the goal is to make it so that having access to the primary account does not mean being able to read emails from the secure account.
• Instead, set up an email notification: whenever your secure inbox receives a new message, if you're not logged in there, your primary inbox should receive a message saying something like: “You have new mail, log in to read it”. Not all email providers support notifications like that; more on providers later;
• Set up as many security measures as you can for this email:
  • Use a strong unique password (as you should do for all accounts anyway, using a password manager)
  • Use a strong second factor, such as TOTP and/or Security Key (in particular, use an email provider which does not force you to have a phone number; again more on providers later)
  • Don't set up any recovery method that would significantly undermine security; in particular, don't add your primary email account as a recovery for this security account. Instead, make sure to back up your password manager database and second factor secret material. This topic alone is worthy of a separate article or a few of them; but re: U2F Security Key backup, you can check this out: Reliable, Secure and Universal Backup for U2F Token
  • Most importantly though, don't lock yourself out. Having unique password and strong 2FA, without any recovery, is very secure, but if you ever lose access any of that, it can lead to a lot of problems. So, ask yourself, what would it take for you to actually lose access to this account? And take measures to make it extremely unlikely. If you don't yet know how to back up your credentials and 2FA properly, and feel that you need to have a phone number for recovery, go ahead and add this phone number, at least for now. Again though, this topic deserves a separate thorough article, so I'm not going to get into much detail here.
• Don't share the address with anyone; consider it a part of your secrets.
• Perhaps use it only for your important accounts, that you definitely don't want to lose access to. Don't use it for throwaway accounts that you don't care much about (primarily to avoid sharing this secure address any more than necessary, and also to reduce the noise in the secure account);
• It might be tempting to also make the address itself hard to read, like dx3mmuvhfoftpmtu98xku@whatever.com, since you don't need to remember it or to share it with people anyway (it should just be stored in your password manager). It's definitely a valid option, but I'm hesitant to recommend it since an email address like that might unfortunately be flagged by the service that you use it on. Probably better to use a meaningless, but more normally-looking address like swiftlight451@whatever.com.
• Don't login to it on your phone. Or at least, don't keep it permanently logged in; if you must login on the phone, make sure to log out right after you've done whatever you had to do;
• This one is a bit optional, but I'd still recommend it at least for consideration: if you want to actually treat it like a password manager, then even on your computer, only login there when you need it, e.g. when you received a notification that you have new messages there; and after you've read them, log back out. Sure, that might be a bit annoying logging in every time (which involves using second factor as well), but after a while you get used to that, and the security benefit might be worth the hassle. But as I said, this part might not be really necessary, so decide for yourself whether it's justified in your case or not.

This last point might or might not be too much, depending on which services you're using the secure email for. For example, if you use it for some forum where you'll constantly receive email notifications about new messages in whatever topics you're watching, then logging in multiple times a day is likely too much (yeah, unfortunately as of today most services still don't distinguish between security email and notification email, so you have to use one address for both of those functions).

So to avoid it you'd have to decide what tradeoff makes more sense: maybe you stay logged in to your secure email at all times on the laptop, or maybe it's better to just not use the secure email address for this particular account. As always, it's all about tradeoffs, and it's up to you to figure out.

So from the guidelines above, we have the following requirements for an email provider:

• Support strong 2-factor authentication (TOTP and/or Security Key)
• Allow NOT having any weak account recovery options, such as a phone number, or even another email address
• Support email notifications (that is, a message sent to another email address, like “You have new mail”, without forwarding the actual message).

As a bonus point, it probably makes sense to use a security- and privacy-focused provider, just because it's kinda in line of what we're trying to achieve here. It's also a good idea to use a different provider from your primary email account, just to diversify. So if your primary email provider is Gmail, consider using something else for the security one. Also, I didn't put any emphasis on how convenient it is to use, since by design we won't be interacting with this email account too much. So even if the UI is a bit clunky… whatever.

Trying to find the right provider might be a challenge, and you will probably need to spend some of your effort to find what works best for you, but let me at least share some of my experience using a few proviers. Also keep in mind that this section was written in December 2022, so if you're reading it much later, take it with a pinch of salt, because obviously providers change their plans, and they might also come and go.

I must admit I haven't tested a lot of email providers, so if you know some good ones not listed here which tick all the boxes, let me know. So far I tried for real 4 major providers: Gmail, Fastmail, ProtonMail, Tutanota. If you want a TL;DR on those four, I would offer this: if you need a free plan and email notifications once a day are good enough for you, use ProtonMail. If however you need faster notifications, or if you don't mind paying 1 EUR per month, or maybe if you already use ProtonMail as your primary email, then use Tutanota.

Why I don't like Gmail or Fastmail for the security account use case: shortly, neither of them support notifications to another email address, and both of them make it hard to not add a phone number as a recovery.

A funny note about Fastmail though: I was actually pissed off that they force me to add a phone number for recovery before I could add any 2FA, so I wrote them a message saying that it's bullshit and that it adds a lot of negative value for those who know how to back up their 2FA credentials properly. They responded by saying that there is a trick to make it possible: on the 2FA setup page, when it demands to add a phone number, one can press and hold Alt+Shift keys, and then the button to add 2FA will become available even without adding a phone number. I tried it out and it worked. So I guess their reasoning is that they don't want to deal with people losing access to the accounts due to 2FA, so they try to force everyone to add a phone number as a backdoor, but for weirdos like me who are annoyed enough to write them a message, there is this workaround.

Anyway, as I said I still don't like either of them, at least for the purpose of the secure email account, so that leaves us with ProtonMail and Tutanota (from those that I've tested). Let's try to figure which one is better for you.

Both of those providers tick all the boxes, and they are both privacy- and security-focused. Unlike free services like Gmail, they never read your messages to target you with ads, or anything like that. They also store everything in an encrypted form, and they have their own hardware. So they are both good options, but there are some differences which we can consider.

The most annoying part in Proton is that the email notifications are only sent once per day; I'd definitely like to receive a notification sooner. If however you plan to be be always logged in there, then it doesn't matter much.

They have a free plan, and at least at the time of writing, they even have a very interesting policy that an account which used to be paying for any amount of time in the past will never be deleted due to inactivity. So turns out it's an option to buy a single month for 5 EUR, downgrade after a month, and have a peace of mind that your free account will most likely stay forever.

I'm not saying that everyone should take advantage of it; in fact I believe that if you can easily afford it, then you should pay, to support them. But I'm sure there are people for whom Proton is expensive (as of today, the cheapest paid plan is 3.5 EUR per month when paid for 2 years in advance), and so this policy might become an important factor.

With Tutanota, email notifications are sent right away when a new message arrives (but after that, it won't send any more notifications until you log in and out at least once).

They also have a free plan; and free accounts which weren't active for 6 months will get deactivated. So they don't have this interesting policy to not ever delete accounts that ever paid anything. They are very cheap though: just 1 EUR per month, paid yearly; so very affordable.

So bottom line, I think both ProtonMail and Tutanota are great options for the use case being discussed, so just try them out and figure which one works best for you. Also as mentioned above, it's probably a good idea to diversify, so if you e.g. already use ProtonMail as your primary email, then use Tutanota for the secure one, and vice versa.

Then you can gradually migrate all the important services to the new email address of your choice, follow the guidelines outlined above, and have peace of mind that your primary email remains a communication tool only. All important security-related stuff has been moved to a separate security-focused account.

I think that the steps described above should be enough for most people and it's a significant improvement in security, so you can pretty much stop here and go on with your life. But if you want to consider some other things you can do, here we go.

One of the potential problems with using a domain that the email provider gives to us (e.g. myname@gmail.com or myname@proton.me) is that we rely on that particular provider a little bit too much, because sooner or later we might need to switch to some other provider. This might be something outside of your control, like the provider going out of business, or getting your account banned for whatever reason. Or this can be your personal choice, e.g. if you just found a much better one. So if any of that happens and you are forced to move to another provider, it inevitably means changing the address, which in turn means updating it on all the services that you use it for.

Another potential problem is that we reuse the same secure address for multiple services, and if that address is leaked anywhere (which means e.g. receiving spam on it), you might want to change it, which again means updating it on all the accounts that you use it for.

So to fix both of those issues and make your addresses more flexible and portable, you can consider buying a domain name, such as mymail.org (this particular one is taken already, but you get the idea). Having that, you technically can have any addresses which end with @mymail.org, so you'll be able to use a separate address per service, which is pretty cool. And if you ever need to move to another email provider, you'd only need to change DNS records for your domain (to point to the new provider), and after that all your emails will go to that new provider.

The domain itself will cost you something like 10-20 USD per year (so likely less than 2 USD per month; but also make sure to include WhoisGuard though, so that the contact information for this domain won't publicly expose your personal details. Some domain registrars include it with no extra charge, but still you need to make sure to enable it). Also, you'll almost certainly need to get some paid plan with the email provider as well; I'm not aware of any decent providers offering emails on a custom domain for free. As “sdofiofuvhsoifuh” mentioned in the comment below, https://www.infomaniak.com/ does actually offer free email hosting:

If you buy a domain you get email hosting for one email inbox (with aliases) and unlimited storage, until your domain expires.

That sounds pretty cool, I'll check it out. Also, as mentioned before, Tutanota is really cheap (1 EUR per month, billed annually), and that plan includes one custom domain, so that might be a good option as well.

Let me elaborate a bit more on the “separate address per service” idea. Even though you can technically have any address under @mymail.org since it's your domain, keep in mind that email providers tend to limit the number of addresses you can have: e.g. as of Dec 2022, Proton only offers 10 addresses on their “plus” plan, and Tutanota offers 5. You'll likely want to use this email for more services than this. But, good news is that both of those providers also support “catchall” address for a domain; what it means is that a message for any email address under your domain mymail.org will end up in your mailbox. So receiving on unlimited number of addresses is not a problem, but sending is a different story: it order to send from an address, it has to be added explicitly, and number of those are limited. But since this secure email account is mainly for receiving emails only (rarely do you need to send a message specifically from the email address that you registered on some service), it works perfectly fine. If however you really need to send from one of those addresses, it's possible to create such address explicitly, send a message from it, and when you don't need it anymore, delete the address. Both ProtonMail and Tutanota support this.

As you might know, there's no such thing as 100% security, so it's all about tradeoffs. I just tried to give you some ideas on how to make your online life a bit safer, so you can consider them and figure if they make sense for your case.

Have a good one, and I'll talk to you later!