When you create a new account on a web site, it’s pretty much the norm to be asked to enter an email address. Why aren’t there more (any?) web sites that ask me for an additional email address that will be used exclusively to send me password resets?

With such a simple extra step, my account has become impossibly hard to crack. Not just because my “safe email address” will, obviously, be protected by two-step authentication or other similar mechanism, but more importantly because the hackers have no idea what that email address is: it’s not used to send any email, it only receives emails sporadically, and the only way to find out what it is is to hack into the bank’s servers (I’m pretty sure that hackers able to do that will find far more interesting accounts to empty than mine).

Another benefit is that I don’t need to burden my regular email address with two-step authentication, which would be a hassle since I log into that account so often from so different places.

So… What am I missing? Why isn’t this practice more widespread?