Steam LocomotiveI’m not going to name the company here as this really is a question of what was the intent?

I attempted to log into a fairly popular service that I had my username and password to. It now needed to send me an email to verify it’s me. Unfortunately that email account no longer exists.

It claimed it didn’t know me on this browser, which yeah, it’s been two computers since I last logged in probably.

So now I’m up against the wall as I have no way to receive the code they wanted me to enter. The domain my email address was in no longer exists. I looked in the help and found there was a way to request to change an email account.

I changed the email account, one click. Received the code in the new email account and now my email on the service is updated.

For giggles I changed the password and now can’t log in with the original username or password and can’t request the thing be changed back using the old email address.

Their system to protect me from my account being stolen was circumventable with a disposable email account. The service lets you log in with a username so chances are if I’d taken someone else’s account they might never notice that the email address had changed.

So what did that second level of authentication do other than make sure I had an SMTP I could grab an email off of?

Am I missing something or is this not even security?