I get the part where you list the possible inconveniences of email.
What I dont get is how having smaller attack surface for losing a password, and using a secure password manager mitigates the attack vector of getting access to my account with a password reset through my compromised email.
If I understand correctly you say that email is more vulnerable, so this only strenghtens my point I guess?
Password reset is a rare event, so it has extra mitigations:
1. Extra security checks. For example, if you buy a new laptop and use a coffee shop's wifi try to reset your bank password, they will lock your account. You will have to call and talk to a person and give extra personal information to get it unlocked.
2. Notify the user about the password reset. Use email, text, phone call, and postal mail.
3. Automatically lock the account if suspicious activity occurs in a time period after password reset. Examples:
- Orders over $100 shipped to new addresses.
- Risky transactions: buying gift cards, buying plane tickets in foreign countries, changing the delivery address of a shipment.
- Using a known device (with cookies/fingerprint) and the old password.
4. Require extra confirmation for transactions. Examples: re-enter credit card numbers, security codes, and personal id numbers (SSN in USA).
5. Preserve user data so it can be restored to the state before the password reset.
These mitigations work well enough for protecting accounts from fraudulent password resets.
What I dont get is how having smaller attack surface for losing a password, and using a secure password manager mitigates the attack vector of getting access to my account with a password reset through my compromised email.
If I understand correctly you say that email is more vulnerable, so this only strenghtens my point I guess?