Your Email Is (Practically) Your IdentityPosted: 2011/07/31
There’s a lot of confusion about what identity, on the internet, is. I contend that, for all practical purposes, your online identity is your email address.
Let’s look at some other (supposed) identification methods:
- Username – whatever the user feels like typing in
- OpenID – A guaranteed unique URL
- OAuth – some guaranteed unique token in the context of a service provider
What sets an email address apart from these other methods is that it’s a method of contacting an individual. In fact, it’s a practically universal method of contacting someone on the internet.
Consider, regardless of the mechanism you use to authenticate users, one returns to your site and wants to login… but can’t remember their credentials. This is not a trick question, obviously you have them enter their email address and then send them something they can use to recover their login information (a password reset link, their OpenID, their OAuth service provider, etc.). Regardless of the login mechanism, the lack of an associated email address will result in the loss of the account.
I find myself considering OpenID, OAuth, username and password combinations, and so on as “credentials” rather than “identities” conceptually.
Pontificating is all well and good, but how has this actually affected anything?
One of the first things I worked on at Stack Exchange (so long ago that the company was still Stack Overflow Internet Services, and the Stack Exchange product had a 1.0 in front of its name that it didn’t know about), was pulling in user email’s as part of authenticating an OpenID. There were two problems this solved, one was that user’s would accidentally create accounts using different credentials; a common trusted email let us avoid creating these accounts (this recently came up on Meta.StackOverflow). The second was that associations between site’s couldn’t be automated since Google generates a unique OpenID string for each domain a user authenticates to; finding related accounts based on email neatly worked around this wrinkle in Google’s OpenID implementation.
Some of this predicament is peculiar to the OpenID ecosystem, but the same basic problem in both scenarios is possible with even a bog standard username/password system. If you have some disjoint user tables (as Stack Exchange’s are for historical reasons) you can’t just do a correlation between username (or even username & password hash), you need to verify that the same person controls both accounts; and really all you can do is contact both accounts and see if they point to the same person, the mechanism for that being (once again) email.
In a nutshell, if you’ve got more than one kind of credential in your system, say username/password and Facebook Connect, then the only way you’re going to figure out whether the same user has multiple credentials is via correlating email addresses. That Stack Exchange needs this internally is a historical accident, but given the popularity of “Login with Facebook” buttons I have to imagine it comes up elsewhere (perhaps others have consigned themselves to duplicate accounts, or a single external point of failure for user login).
These observations about email are why StackID, Stack Exchange’s own OpenID provider, requires (and confirms) email addresses as part of account creation. We also always share that email address, provided that the relying party asks for it via Simple Registration or Attribute Exchange.
One counter argument I’ve encountered to this position, is that changing your email shouldn’t effectively change your identity. The real life equivalent of changing your email address (changing your street address, phone number, legal name, and so on) is pretty disruptive, why would the internet version be trivial? If nothing else, almost all of your accounts are already relying on your email address for recovery anyway.
I suspect what makes Method of Contact = Email = Identity non-obvious is the tendency of people to assume identity is much simpler that it really is, coupled with the relative youth (and accompanying instability) of the internet. Anecdotally, while I certainly have changed my email address in the past, I’ve been using my current email address for almost as long as I’ve carried a driver’s license (which is good enough ID for most purposes in the United States).