Please consider adding a option to never ever allow recovering of the account without password, similar to how gandi does it.
My email account / domain is my central hub for all my accounts. All of them can be taken over through fastmail (with the exception of my domain and other extremely crucial services) if an attacker happens to obtain access to it. I want to have the security that this attack can not happen to me.
It sounds from what you're saying like you (and at least a few other hacker news posters) want is an even stricter "no seriously, I promise I won't ever screw up" mode.
We try not to have those kinds of modes, because (for example):
It turns out, black and white security models lead to massive losses of availability when people screw them up - and people do. Though I have to confess to being amazed to see Tony Finch amongst the recent "oops". NASA is maybe not so much of a surprise.
Having said that - if there's enough demand, that would be a worthwhile feature. Accounts that aren't being used are cheap for us to run, and that flag would make the security team's job really easy - just say "no, go find your own way in" without having to review anything!
Bron, I think your concerns are justified and understandable. Thanks for entertaining the idea.
I am one of those advocates and would enable such option if given. That said, I did have an instance when I had to call AWS support because of their own screw-up. I closed the AWS portion of my account but not the Amazon.com shopping portion. I later found out that I can no longer remove 2fa on the AWS portion because I no longer have it. I no longer have it because I already closed the account and thought it was safe to remove. However, because of their faulty system design, a closed account was enforcing 2fa on my Amazon.com portion preventing me from accessing it. In this case, the support agent helped me to regain access.
That support agent's ability to fix their faulty system design is both good and a potential liability. I wouldn't want a "I won't ever screw up" mode there.
In the case of email though, when certain conditions are met, it becomes a safer thing to do compared to getting screwed over by support staff.
The pre-conditions are:
1) The user is using custom domains only
2) The user has past emails backed up on his/her own devices
When these conditions are met, the user has complete control of their email destiny. In the case of losing FastMail account access, they can continue to receive email because they control the domain. They also have complete email history because they back it up.
That said, I believe your clearer response elsewhere in this thread is good enough for me personally. I was concerned before because of the vague responses. I think for FastMail, the risk perhaps outweighs the better security for me personally even if I would welcome it.
There is no demand for password only protection without recovery because it is not available on the mass market. Just like there was zero demand for cryptokitties a few months ago and now there is significant demand. You can only see a demand if there is and option for something and people use/don't use it or after conducting a poll.
though I'm not sure that cryptokitties are a great way to sell your idea here. They're the kind of tulip/fidget spinner craze that we'd invest a ton of effort into, sell a few for a while, have to support for the next 10 years and still face a noisy backlash from a few annoyed users when we finally retired it. Overall, net loss.
In the case of "no recovery allowed" accounts, the development effort is minimal, but the number of people who would turn it on "it says higher security and someone on hacker news told me to, it must be good" and then proceed to lose their account... I bet they'd be noisy when the realised they'd not only lost all their email, they'd lost their payment to us, because they'd have no authority to request a refund.
Oh wait, they would - chargebacks. Notoriously hard to fight with an online service, particularly when you're not providing said service any more. And it's always the full amount charged back too, not just the unused portion of the service.
I'll float the idea of allowing people to push right hard up to the "do not resuscitate" tattoo on their account, but I'm not going to pretend it doesn't come with some risks to us.
As a paying fastmail customer, I would appreciate such an option.
However, you do have to make sure that if I lose access to that account, I should be able to create a new FastMail account and have new traffic to my domain be directed to the new account. i.e. you do need some way to migrate a custom domain to a new account, if the new user can prove ownership and/or control of the domain name.
Yes, that has to be an option anyway, if somebody sells a domain and doesn't release it from FastMail. I have a blog post for this advent series (already written and everything) about why we don't allow split billing on a single domain.
My email account / domain is my central hub for all my accounts. All of them can be taken over through fastmail (with the exception of my domain and other extremely crucial services) if an attacker happens to obtain access to it. I want to have the security that this attack can not happen to me.