I like this rant. It makes sense.
What about making everything direct to the source?
As in, you have a single account, call it Fort Knox, which requires n-factor authentication — where N is some number over 2 I can’t imagine.
Then: when you try to log in with a bad user id or password, you don’t get a message at all — you just get no log in. Then Fort Knox gets the message. You check Fort Knox, update your password, your userid, whatever, all via Fort Knox. Depending on the level of security, Fort Knox might even require you to visit a physical location. You’d set the level of security per account. For my Netflix account, it might just require me to log into Fort Knox with my Fort Knox user id and password. For my brokerage, I might have to log into Fort Knox with my user id and password and provide a number given to me at a physical location [if I so choose]. For Fort Knox, if I forget my userid and password, I’d need to go to a physical location. Throw in a thumb print scan, a face id, a secure token, a phone call, an additional email to an email account — you get bespoke security for each account.
Heck, that can be Fort Knox’s only purpose — not even email.
I know this isn’t coherent. Please make sense of it. I now understand it.