IMO we need an email provider who implements an entirely different method of authentication. Steve Gibson mentioned the idea in one of his webcasts he also talked about coding something but I haven't seen any mention of it on his website as yet, anyway it would work something like this, when you sign up to the email provider it would probably include a small client app to reside on your device, the app creates a private and a public key, the public key is sent to the email provider. The public key can be then used for two purposes. 1. To log in to your account the email provider encrypts a random string using your public key and sends it to you, your private key decrypts it and sends it back. If the string is correct you are authenticated as the owner. This would all be done over TSL to prevent an attacker intercepting anything. 2. The email provider uses it to encrypt all non encrypted incoming email. There are several advantages to this, The email provider cannot be forced to give up your encrypted email by anyone because they never have your private key. You cannot be expected to give up your password verbally because it is an encryption key. There is no actual password sent over the internet to be intercepted. There is no typing of a password involved so no keylogger can grab your password. The client app can be portable on an easily destroyable thumb drive.