Your Email Is (Practically) Your IdentityPosted: 2011/07/31 Filed under: pontification 7 Comments
There’s a lot of confusion about what identity, on the internet, is. I contend that, for all practical purposes, your online identity is your email address.
Let’s look at some other (supposed) identification methods:
- Username – whatever the user feels like typing in
- OpenID – A guaranteed unique URL
- OAuth – some guaranteed unique token in the context of a service provider
What sets an email address apart from these other methods is that it’s a method of contacting an individual. In fact, it’s a practically universal method of contacting someone on the internet.
Consider, regardless of the mechanism you use to authenticate users, one returns to your site and wants to login… but can’t remember their credentials. This is not a trick question, obviously you have them enter their email address and then send them something they can use to recover their login information (a password reset link, their OpenID, their OAuth service provider, etc.). Regardless of the login mechanism, the lack of an associated email address will result in the loss of the account.
I find myself considering OpenID, OAuth, username and password combinations, and so on as “credentials” rather than “identities” conceptually.
Pontificating is all well and good, but how has this actually affected anything?
One of the first things I worked on at Stack Exchange (so long ago that the company was still Stack Overflow Internet Services, and the Stack Exchange product had a 1.0 in front of its name that it didn’t know about), was pulling in user email’s as part of authenticating an OpenID. There were two problems this solved, one was that user’s would accidentally create accounts using different credentials; a common trusted email let us avoid creating these accounts (this recently came up on Meta.StackOverflow). The second was that associations between site’s couldn’t be automated since Google generates a unique OpenID string for each domain a user authenticates to; finding related accounts based on email neatly worked around this wrinkle in Google’s OpenID implementation.
Some of this predicament is peculiar to the OpenID ecosystem, but the same basic problem in both scenarios is possible with even a bog standard username/password system. If you have some disjoint user tables (as Stack Exchange’s are for historical reasons) you can’t just do a correlation between username (or even username & password hash), you need to verify that the same person controls both accounts; and really all you can do is contact both accounts and see if they point to the same person, the mechanism for that being (once again) email.
In a nutshell, if you’ve got more than one kind of credential in your system, say username/password and Facebook Connect, then the only way you’re going to figure out whether the same user has multiple credentials is via correlating email addresses. That Stack Exchange needs this internally is a historical accident, but given the popularity of “Login with Facebook” buttons I have to imagine it comes up elsewhere (perhaps others have consigned themselves to duplicate accounts, or a single external point of failure for user login).
These observations about email are why StackID, Stack Exchange’s own OpenID provider, requires (and confirms) email addresses as part of account creation. We also always share that email address, provided that the relying party asks for it via Simple Registration or Attribute Exchange.
One counter argument I’ve encountered to this position, is that changing your email shouldn’t effectively change your identity. The real life equivalent of changing your email address (changing your street address, phone number, legal name, and so on) is pretty disruptive, why would the internet version be trivial? If nothing else, almost all of your accounts are already relying on your email address for recovery anyway.
I suspect what makes Method of Contact = Email = Identity non-obvious is the tendency of people to assume identity is much simpler that it really is, coupled with the relative youth (and accompanying instability) of the internet. Anecdotally, while I certainly have changed my email address in the past, I’ve been using my current email address for almost as long as I’ve carried a driver’s license (which is good enough ID for most purposes in the United States).
Email is ONE way of validating an identity but as email goes it will never be accepted as a real and legal form of identification. For any Internet service that really cares about identity validation of a second (and sometimes third) form of identity is often required. My bank, for instance, will NEVER allow access to my accounts unless there is first an email validation, a password validation, and a third confirmation via a text message or email to another service when my account is accessed from a previously unknown source. I will agree that email for the most part = identity but exposing any secure data should REQUIRE at least one additional form of personal identification.
I don’t know that a bank is a valid comparison. It has a physical presence, which you can (and presumably do) visit. Of course having physical access to a person let’s additional identification requirements be applied.
A more apt comparison would be Amazon, which lacks any actual store front and can be about as damaging fiscally as a bank. Naturally, Amazon ties account recovery to an email address; lacking any other options.
I agree that some stronger assurance about “real life” identity would be nice to have online. Perhaps two-factor authentication via smart phone will get there eventually, but for now the strongest ubiquitous option is email.
This post was more about the de-facto state of internet identity than the ideal one, basically.
Not all banks have physical presences — some are purely internet based. And many banks that do have physical branches allow you open accounts entirely online (Capital One Bank is one of many I have personal experience with). What makes banks more secure is that they have more information about you besides your e-mail address, which other people are unlikely to know: your account number, social security number, and a security code such as your mother’s maiden name. If you ask them to reset your password, they’ll ask you for one or more of these items of information to prove that you are who you claim to be.
While I’ve never had to reset my Amazon password, I imagine that they would not need to rely on just my e-mail address for security. They could ask me for the last four digits of my primary credit card number, for example.
Anything self-entered is pretty suspect if it can’t be validated against some other database that ultimately has a means of contact. I’ve had to go to my bank in person to get my account # before (having misplaced it in a move), which makes it pretty useless for identity on the internet. SSN is backed by the taxman’s ability to find you (which ultimately backs all government ID, really). Security questions aren’t even in the same game, unless you think “Smith” is a sufficiently unique string to identity someone :). Credit cards are pretty rough, as the numbers change and people tend to have a number of them.
It really does come down to “can be used for contact,” if someone can forget it or misplace it you need to have a fallback.
But in the physical world, if you move you can update your address information. It’s hard work, but it’s possible. But if your e-mail address is your primary online identity, updating your e-mail information if you change e-mail provider is not only hard, but impossible.
The same approach to changing addresses in the physical world (setting up a forwarding address) maps rather well to setting up your old email account to forward to your new one. This does assume that these services are reliable. For myself, I’ve had more mail lost by the US Post Office that should have been forwarded than emails from “throw away” providers setup to forward to my (oldest and) main account.
I get the impression based on some feedback that some people are taking this entry to be an argument *for* email as a universal identity/credential/whatever. What I’m trying to say is that it is one (in the context of the internet that is). It’s a declaration of a de-facto status, not an ideal one.
In the physical world, at least here in Israel, more and more you cellphone represents your ID 1-to-1:
* Gated communities where one registers his cellphone number and then can open the gate from it
* Banks verify your identity online with an SMS sent to you
* Many physical service providers (satellite/cable TV, etc.) identity you primarily by you cellphone.
Now that we can change cellphone provider without changing the number (a new law in Israel), I’m likely to have the same cellphone number permanently.
So yes, on the Internet, you do identify primarily using your e-mail. And now that it doesn’t depend on your ISP anymore – everyone uses gmail or similar services – it never changes either.