Hi article does not really address the point he makes in the title. Email is the best source of primary identity for web applications. If you are building a business application that people want, over 95% of the time people will give you valid email addresses. User are so much more valuable if you can market to them over time. It is very difficult to do this without at least an email address. Of course people can get disposable email accounts, this is just stating the obvious but still does not help at all in suggesting a better alternative for primary identity.
I fall into the 5%. If it's something I really want to try... I'll look harder for a temp e-mail domain that you haven't blocked yet. New ones spring up every day.
Why make it harder for me, as you are just pissing me off?
If I like it I'll give you my real details, but the Internet is full of spammers and crooks and by default it seems prudent to assume that all websites are run by those types until proven otherwise.
well there are two different issues that overlap a good deal.
1. wanting a way to uniquely identify a user that is easy for the user to remember (email works great)
2. wanting a way to prevent users from creating duplicate accounts
Using emails works great for 1 and is a decent low bar for 2. There are no good answers for 2 so using an email address is the best I have seen.
The better question is what you need from the user's identity. If an identity is simply a means to authenticate the user on your service only then an email is more than good enough. If you don't need anything else that is associated with the person's identity (e.g. his social network, real-life address, etc etc) then I don't see a problem with using email.
I wouldn't. I would much rather a private company with experience in determining online identity provide a service like this.
A. It would be an optional service, so you would only use it if you wanted to. (Unless gov't got involved somehow, but my whole point is that they shouldn't be involved.) If it were a gov't run operation it would probably be impossible to opt out of. A recent example is the Australian filter. That's not working out very well, neither would this.
B. A private company has more to lose if it were to screw up implementation and design than the gov't would. I would trust my privacy to a company before the gov't because I could weigh customer reviews and go to a competitor's service if it was better.
C. A gov't can say screw you guys, work with my standards for verification. A private company would be forced to work with others or fail.
The way I see it, identity verification is one of those dull, expensive, necessary things that will have to be done for the network economy to function. A private player will always have incentives to screw with it Imagine getting a message like "You must be logged in to facebook if you want to buy groceries. Do you want to let the dietsnoop application see your purchases (Y/N/there is no cancel)?"
When you swipe your card at the grocery store?
And to go through your objections one by one.
a. Any identity validation system has to be a universally accepted standard with strong penalties for misbehaviour on the part of validators, relying parties, and authenticating individuals. If it's less than universal, it doesn't work nearly as well, a bunch of people can opt out, and the effectiveness drops drastically; and we're back where we are now with a bunch of different standards and competing providers each with their own agenda.
b. Microsoft Hailstorm? Yahoo IDs? Facebook's multiple data wankeries over the years? All the times that people have horked 100s of thousands out of other people's bank accounts by having the bank email a password reset to an email account?
If past is prologue, the cost to businesses of screwing up their identity verification is relatively low. Which is fine if all they control is some crap email and a few digital photos, but rapidly becomes unfine if it's your bank account, or your deed to your vehicle, or your house or your ticket to New Zealand; or (going 15 minutes into the future) your house keys, your medical records, your ownership of businesses, etc.
c. But as mentioned in my response to a. a body that can set standards and enforce them with real teeth is exactly what is needed. The other side of that is that any private party that had the wherewithal to pull off the introduction of a new economic system (weak identity authentication is the foundation that credit cards are built upon) is going to be or be rapidly on the way to being a heavily regulated entity.
I'm not saying I'm necessarily enthusiastic about the prospect of the government holding the root signing keys to everything; I just think it's inevitable. And the thing is we need to be talking about it now, so that over the next 6 months to two years as the economic crisis plays out and the necessity of doing something is brought to the fore; we can push the discussion towards sane alternatives.
We have a window to affect the policy discussion, but that window is closing rapidly, and there are lots of people who would like to close off certain avenues of discussion. You want peer to peer disconnected transactions? You have to convince people that those matter more than law enforcement, garnishments and debt collection. Anonymous transactions are going to be a tough sell; so are pseudonymous transactions. Hell, we're probably going to have to fight to keep J. Random Moral Prude from putting a kill switch in everybody's wallet that will limit purchases to socially acceptable ones (more of a worry in the UK and commonwealth nations).
You leave me humbled, sir. You are thinking on a much greater scale than I was. I was at first skeptical whether these types of things are going to come in to mainstream debate in the next 6 months to 2 years, but the more I think about it, the more I'm starting to believe it.
good post. q: so why can't said new system 'work universally' (at least online) by users generating their own "pseudonymous" online identities (name/email/pass/etc) and managing these per site/relying party? the 'generating application' or party has oversight and responsibility for fraud but no others and the user controls key aspects relating to government subpeona type issues. thoughts?
You're basically describing the status quo; which obviously, does work for the most part. But, there are a couple of elements driving stronger authentication forward; the current lack of a safe and effective cash equivalent for online transactions (anything that is charging a 1-2% transaction fee is not cash equivalent), the desire for executing binding legal documents over the internet (you can in the US have people click [agree] on a web form and be good, but it's hokey and nobody takes it seriously), and the widespread perception that digital crime is endemic.
My guess, based on the nature of the industry is that whatever solution we get will be built on a stack that's already widely deployed (x509 certificates) and that it will be tied to the post office since showing your ID documents to a public official will be part of proving who you are.
We already have government signed x509 (not 100% sure about this detail) certs here in Spain. They can be used to fill taxes online. Just like you said, "showing your ID documents to a public official will be part of proving who you are". They use local administration offices though.
I've no idea if they're common in Europe. They're not common here, and they're available. Common people couldn't be bothered even if they'd knew what they are, not to mention know how to use them. This is a good thing I believe. Hey, I know what they are and how to use them and I still don't bother :)
Even if a service existed that would manage your online identity, how would you prove at you are yourself everytime you sign in? I think thats the biggest problem right now. Another problem is the second someone gains access to your 'online identity' they now have access to everything else that was also linked using this identity.
So maybe its not a good idea to have a central identity manager. Maybe we just need to be researching how do we prove that you are indeed YOU when you visit a site again and not worry about figuring out if you are you AND the same person on x,y,z sites.
Almost every email address carries an implicit username/password as well as a degree of identity provided by dns services (where the email goes)
So thats not bad proof that the person that recieves an email to that address will receive the next one, and thats where all the login info is passed around.
Mailinator however breaks all this, you can use any email address you want, including one that somebody else is using. Maybe this blog is a little biased?
