Why is email often used as the ultimate verification?

This seems like a very wrong medium to send such information via.

Email is used for the same reasons Social Security Numbers get re-used as account identifiers in the US: Ubiquity.

Not everyone has a Facebook account. Not everyone has a Twitter account. But almost certainly, anyone with Internet access has an email account. It is a reasonable expectation that customers can provide an email contact for businesses to use.

And I don't really know if this matters, however you never really see these email services sending you "encrypted" email with your pgp key.

Because pitifully few people have a PGP key, and even fewer are set up with an email client that integrates encrypted email.

I once wished to purchase software, and the vendor would only sell to people who communicated with them via PGP email. I tried sending the PGP-encrypted blob as an attachment, I tried inlining it, and I tried add-on software that integrated PGP email into my mail client - none of them passed muster with the vendor. I never purchased the software. PGP email is neither ubiquitous nor, it seems, trivially interoperable.

Also, quite often it is mentioned that email is inherently insecure, or not designed with privacy or security in mind.

However it keeps being used for that.

And it will keep being used for that until something better comes along and something better is available to everyone to use, trivially.


While you correctly identified problems with e-mail, a mail based verification is still considered sufficiently secure for many cases. While there are alternatives like SMS based verification, automated phone call or even snail mail, these are not as easy and cheap to use as e-mail.

The optimal security measures are usually a balance between usability (i.e. ease of use), deployability and costs vs the security provided by the measure. If more security is required, it usually means that it gets more expensive to deploy and/or harder to use. E-Mail is a good trade-off for many cases.


Email is the least worst option.

It's not just the ubiquity of email. Email is federated, standard protocol. No one entity controls email. Email is a marketplace. You choose your email provider. Don't trust them? Take your business elsewhere. There's thousands and, from an authentication perspective, they are all equivalent. You can even run your own service, though server reputation has made this more difficult. Because of this mobility, an email provider has strong incentives to retain your trust and not read your email.

In contrast, private single-sign on services like Facebook or Twitter or Google are monopolies and have monopoly power. You have no recourse should they decide to deactivate your account, hand it over to someone else, use your authentications to snoop on you, or you just don't want to do business with them. This goes for both the users and the site which chooses to use them for sign-on. If a private single sign-on provider decides they don't like your service, country, or industry, or maybe they decide you're the competition, they can yank all your users. Unless you're rich enough to hire lawyers, or popular enough to mount a social media campaign, there isn't much you can do.

Email is the only service which meets all of being both globally ubiquitous, federated, and acceptably secure. Phone numbers take a close second, but because phone numbers cost money they are not as ubiquitous as email. Software OTP is federated and secure, but not ubiquitous.