Registration and Signing in Why two email addresses 07 Feb 2025

About the registration and signing in process

The first thing to say, is that if you are finding it difficult to use two e-mail addresses because somehow you feel it might be more problematic to register & sign into our platform, please contact us here support@cryptostatto.com. For early bird users on Crypto Statto, we can even give you a domain alias that can forward back to your existing e-mail address. Customers wishing to move to different e-mail addresses can just contact us and their support team will happily switch this over.

If anything concerns you please reach out to the support team at support@cryptostatto.com

Alternatively, if you feel strongly enough about the two e-mail address approach just tell us what you would like to see instead, support@cryptostatto.com

Why two email addresses?

Many of you will think - but why the two e-mail addresses? In many situations, when passwords are not used effectively, they are not necessary. Most serious cryptocurrency people will have multiple password managers, split phrases perhaps paper wallets, scattered to the four corners of the earth, who knows?

Those in crypto are often serious about security aren't keen on doxing themselves don't really need to tie their main e-mail addresses to "Yet Another Platform Recording My Digital Footprint". So we thought why not just have two factor authentication predicated upon two e-mail e-mail addresses?

The team behind Crypto Statto put a lot of thought behind registering and signing in to the website. We considered using identity providers such as Google, Facebook, Twitter, to name but a few. We are definitely considering using blockchain based authorization in coming years but too few people are using this at the moment. We considered using an e-mail address and one time passwords, perhaps something like Google Authenticator, Microsoft authenticator, or even writing their own software to do this. The main issue with using other providers is the risk from deplatforming. Too many companies tapping into major software company providers can find themselves being deplatformed from access to services. A colleague working on another solution found themselves locked out of their online code repository that name will not mention because of inappropriate client content. Anybody remember Parler? Parler was deplatformed at some point during the pandemic. TikTok's future in the United states is still uncertain at the time of writing this in February 2025.

Another real experience found when using identity providers is that they will sometimes just decommission their services, or change the terms and conditions to the point that the costs are too high to use. This can result in a large percentage of your user base being unable to use your platform and the need to rewrite code to allow customers to access services. Remember, many identity providers may take a mobile number could use their own authenticator based apps as part of the verification process, it can become very complicated. This is why we decided to just write our own multifactor authentication capability within our platform that would work well enough for user-bases on platforms such as Crypto Statto and findigl.

You can set up e-mail addresses purely per platform

Two e-mail addresses can act as two-factor authentication

For some individuals, you could set up one e-mail account on a mobile device, and another e-mail account on a desktop. Clicking on the activation link on the desktop last you are signing in to the desktop but using your mobile device as the first factor authenticator.

Is your two e-mail address approach really that secure?

We asked ChatGPT

(Please note, we're not advocating what ChatGPT says, simply stating what it said)

Yes, your setup - an Android mobile and a Windows desktop, each with email addresses from different providers - is reasonably secure, assuming:

1. The devices remain separate (i.e., you don’t access both emails from the same device).
2. The email providers are truly independent (e.g., ProtonMail & Outlook, not Outlook & Hotmail).
3. Both accounts have strong, unique passwords and 2FA enabled.

Potential Risks & Mitigations

1. Device compromise (malware, phishing, keyloggers)

• Keep both devices secure.
• Regularly update software and avoid sideloading apps.
• Use security software on Windows.

2. Email hijacking (password reset attacks, provider breach)

• Use long, unique passwords for each email account.
• Enable 2FA on both email accounts.

3. One provider locking you out (policy enforcement, unexpected ban)

• Have a backup recovery option.
• Consider using a third, secure email as a fallback.

4. Man-in-the-middle (MITM) or interception of email-based 2FA codes

• If privacy is a concern, use encrypted email providers like ProtonMail or Tutanota.

5. Device loss or failure

• Store backup recovery codes securely in a password manager.

Overall Verdict

Your approach is a solid middle ground between convenience and security. While it's not as bulletproof as using a hardware key or an offline authenticator, it does offer good resilience against common attack vectors like SIM swapping or provider lockouts. If you’re comfortable with this setup and have backups in place, it should serve you well.

Would you like any recommendations on securing your Android or Windows setup further?

Our final thoughts

It is worth highlighting that we do not think e-mail based authorization is a panacea, but is reasonable.

About accessing the API with e-mail addresses and tokens

When accessing the API, to get a bearer token, the first step is to pass both emails and two API keys. Once you have the bearer token you can continue to pass that to the API and request data. We provide the capability to generate new tokens within our Member Manager Portal (Under admin in the menu) if you feel this has been compromised. If anything concerns you please reach out to the support team at support@cryptostatto.com

Again we think this is a reasonable approach.

Written with StackEdit.