Why do I have the option to recover an email address with my phone number?
Can't any personal get my phone, then get access to my email and all its accounts?
Surely the best method would be that if you forget the password to your email account the only way to recover it would be to memorise the recovery code they give you at the beginning?
Sure, if the person knows you personally, and is looking to steal your information specifically, then getting your phone would be easier.
But that's rarely the case. Russian hackers aren't going to be able to steal your phone, but they can steal your password or any recovery settings you have.
So how are we ever going to get past this issue of security?
Good passwords don't mean anything if people can get access to your recovery methods (phone number, secondary emails)
You realize they can't just know your phone number, right? When you use phone authentication, they send a text to your phone with a password for recovery.
Two factor authentication like the above is actually a pretty good step. A hacker might be able to steal your phone, or they might be able to get your password. But the odds of them getting both are astronomical (assuming you're careful and don't do something retarded, like storing your pass on your phone).
So of course, there's always that risk of a breach. but you mitigate as best you can.
What if you set both your emails recovery systems for each other and just memorised the passwords?
To recover email a: send code to email b
To recover email b: send code to email a
And if your passes on both emails are amazing, no one will ever be able to get in online or offline?
Or am I dumb?
Not really. How often do you lose your phone?
If you were really paranoid, you'd make sure your email isn't on the phone at all, so a random passerby couldn't use it with that account. Plus, your phone has its own password the hacker would need to get past.
I just told you why. You're hinging your security on having 2 good passwords. If a hacker gets one password, then they've got them all.
Having a good password + physical object you're not likely to lose is safer than just two passwords.
Maybe you were dumb, and are using a password which was also used on a different website which then got leaked.
Or you never know, maybe an exploit in their security exists that allowed them to get it.