People dislike usernames, they want to be able to choose non-unique ones rather than end up with user53267 or something inane.
People lose devices, just storing a secret UUID in their cookie, or using a passkey from their device isn't going to work.
There is no ideal solution except to blend a variety of things together, for some people email is pretty stable for long time and they like it as the identity, for others their usernames are stable and they prefer that as the identity... though I know of no-one that has had the same primary device for more than years (not decades) so perhaps that one will never work.
I do think this is important though, where it comes up a lot is a work email account, a first.last@company.com, and how all of the vendor software utilises "Sign in with Google", and it's the email address they then store in the vendor app as the identifier...
People get married, people get divorced, people transition, people move culture and choose new names... names change, and so do email addresses.
Perhaps OIDC and the like needs a new extension: a standard API to change a username, and a standard API to change an email address.
The oldest email that I can connect to is more than 20 years old. I'm not using it anymore but it's older than any of my phone number or physical address. I don't think we can do better, except with official indentifiers like I'd card or social security number
My "favorite" of those email changes is the self-inflicted contractor postfix change. I've worked at places where a conversion to employee forces the creation of a completely new account, and lacking a simple, single permission systems, the act of converting means spending a good 3 weeks trying to get access to systems one had access the day before.
This is extra fun when the company in question does a lot of their business offering complicated accounts to customers, and has an external facing identity solution that deals with all of this easily: just not for their own workers, including those maintaining the external-facing identity system.
I liked Discords old scheme where you had an email and a display name. Everyone had the numbers so they didn't matter. When they switched to unique account IDs I was kind of bummed, but I'm still curious why they switched.
Because it was trivial to impersonate someone. The old usernames supported full UTF-8, enabling a wide variety of attacks.
And by paying for nitro, you could choose the numbers too, so step 1. Find someone you want to impersonate, copy their username, and replace one character with a visually identical one, but a different one. Step 2 - pay for nitro, and choose the numbers too.
As usual, malicious actors are the reason why we can’t have nice things.
Yeah, same here. I thought it did a good job of resolving username conflicts without it really being an issue inside active social circles. Everyone can just always use their normal username, and it's only a minor friction when sharing your name outside Discord without a link or something.
1. Use a guid-like value as your internal identifier. All internal references in your databases to a user should use that.
2. Use a second user friendly identifier for the user to login (i.e. Email). Feel free to rebind this if the user needs to change it. Keep a 1-to-1 relationship between the two.
That was my understanding as well but it doesn't really address sufficiently what to do in the case of, for example, the user permanently losing access to #2. Sure if I am making the decision to migrate from gmail to some other provider, I can self-coordinate transitioning in your app. But if I lose access and can't regain it through my own forgetfulness, or worse I get hacked, the easiest option still seems to be creating a new unique account.
What about domain names? Emails are bound to a domain name by definition, and indeed domain name IS designed as a good identity and can be used to host an email. See how domain names are owned by large corporations and trusted since day one and never lost, as long as you keep it carefully. It requires WHOIS information as the authoritative information of domain owner. An account based on username and password is what you usually need to access it, but if you are serious you can always choose a domain registar that is serious about keeping your domain name. It’s not free but it costs nuts compared to the cost of losing it, and let’s not forget that there is a cost behind hosting emails even if it’s given for free.
I set up a Twitter account long ago with an email from a domain I used. I let the domain expire later, and now can't do the password reset because it's pointing to a domain that I don't own, and can't buy anymore. Basically lost forever.
I once had my email change because my ISP was bought out. Absolutely nothing I could do about it. The old email was forwarded for 12 months, then cut off completely.
Passkeys aren’t device-bound. I think they’ll work just fine.
The real problem, though, is that we seem to need digital identity solutions to be perfect as opposed to “good enough”. No solution is perfect and we’ll be stuck on email as long as the enterprise security nuts (who need everything device-bound and vendor attested) and anon-in-the-ether privacy schoolers (who think any stable identifier whatsoever is a heinous crime) are part of the conversation.
Imagine if everyone just used mobile drivers licenses issued to whatever self-sovereign wallet the user chooses. Identity issuing, revocation, and recovery is then handled by all the things society has already built to handle meatspace identity. Account recovery involves a trip to your local gov’t office to re-issue your ID credential. Which means you need some chain of trust to your birth certificate. You’re going to treat your mDL credential wallet with a lot more reverence if that’s the recovery flow, so some of these problems solve themselves if we stop using punk short-names everywhere online.
Relying parties that need human uniqueness, age, and/or nationality guarantees use the mDL verifiable credential. Law probibits relying parties from aggregating and selling/transferring information obtained for purposes of authentication from a VC. Ad-tech privacy problem solved.
Services that don’t need proof of human uniqueness etc. can just skip the VC part of the equation and use basic passkeys and implement short-name reclamation.
Personally, I like the idea of hardware-tied auth (phone/FIDO2 key), that could work for me eventually. However, I am also one of the "anon-in-the-ether" people and don't want a permanent identity on any public service.
A permanent identity comes with many additional mechanics, far beyond just a stable identifier. The biggest one is post karma (including likes): IMO it's at the core of almost everything what's wrong with the modern web. It introduces vile personal and group incentives and leads to an eventual destruction of any honest conversation. While this mechanic exists on public forums, I won't use a permanent identity.
> Imagine if everyone just used mobile drivers licenses issued to whatever self-sovereign wallet the user chooses. Identity issuing, revocation, and recovery is then handled by all the things society has already built to handle meatspace identity.
But why do you need to tie it to your driver's license? Tie it to whatever kind of account recovery token you like, put that in a safety deposit box at a bank (available for ~$20/year), and then you can get access to that with your government ID if all else fails.
This requires no new infrastructure to screw up or get broken into and doesn't tie your internet activity to your name while still allowing you to use your name to recover your accounts.
> Relying parties that need human uniqueness, age, and/or nationality guarantees use the mDL verifiable credential.
This is variously unnecessary and ineffective.
The correct way to do age verification is to ask the client's browser if the user is a minor. If the user is a minor, either their parents will have configured the device to answer truthfully or the minor has access to an adult willing to allow it, against which no remote system is secure anyway because the adult has an adult ID.
This is the same reason human verification doesn't work like that. You still have no idea if you're talking to a human, all you know is the device on the other end has somebody's ID attached. Individuals who aren't supposed to be using AI still have a human ID and criminal organizations not only have their own IDs but also any they can steal.
It's not clear why proving nationality over the internet is necessary but most of the obvious use cases are dystopian and requiring you to visit a physical office once in your life to prove your nationality to some bureaucracy (after which you can use your account) seems like a minor burden -- and more secure -- than trying to do this.
That kind of system is not worth the candle. The tracking risk is large, the benefit is small, there are too many ways to screw it up and it would inevitably be politically compromised and hard to change.
> Passkeys aren’t device-bound. I think they’ll work just fine.
Depends on the implementation. Some passkeys are device bound. The free ones, typically. Unless you trust Apple and Google to preserve and protect private keys.
Sorry, how are passkeys not device bound? Every single article I read explaining why they're "better than passwords" touts precisely this as a strength - your authentication takes place on device, so there's no server of passwords for anyone to hack. If you lose the devices your passkeys are paired to, you've locked yourself out of that account for good.
I definitely don't consider myself a "privacy schooler" (whatever that means) but government-issued ID credentials tied to "self-sovereign wallets" (whatever that means) sounds like a, pardon my french, absolute fucking nightmare. But agreed with your other point that we'd probably stop giving ID up as easily if that was the cost of recovery.
I usually dislike the idea of inviting government into this space, but if there's anything that governments have traditionally done decently well and should do (it's usually within their mission statement) its identity. Passports are really the primary identity layer of Earth.
Ideally in a perfect world we'd have governments run OIDC systems similar to the US login.gov and these would delegate from an international master OIDC system at the UN. Everyone would have their citizenship passport ID and their UN ID, and the latter could serve as a "break glass" master key to support immigration and also limit the ability of countries to "digital death penalty" people.
I can think of some dystopian outcomes here, but IMHO they are not worse than the dystopian outcomes that come from corporate monopolist control of digital identity. At least in democracies one has some nominal influence over one's government and the latter is bound by the rule of law, and if you don't live in a democracy you can (or should be able to) leave.
You're right that identity is hard, and I think most of why it's hard is human rather than technical. One could create a decentralized identity layer from a block chain fairly easily but people would lose their keys etc.
I don’t know. I wouldn’t say that governments do identity better than anyone else and adding more dependency on it just increases the value of the government ID making it an even more lucrative target to steal/forge.
Fake ids are a thing and the quality depends on how much you spend. Governments also have reasons to lie about identity themselves (think spies).
A true identity solution means being able to cross reference your identity across multiple entities (federal government, state and municipal, employers you’ve worked for, businesses you’ve interacted with, etc etc).
> Everyone would have their citizenship passport ID and their UN ID, and the latter could serve as a "break glass" master key to support immigration
Immigration doesn’t work that way. You don’t lose or transition from one identity federation to another. You maintain both, typically for the rest of your life.
My personal wishlist is that decision makers and designers of identity systems must include people with real world experience of multiple nationalities, tax residencies, migration and so on.
Currently, these systems are already built on false premises and immigrants suffer a lot – not only because of malice but to a large extent because the bureaucrats didn’t think like security-minded engineers. The edge cases are extremely important when it comes to identity, because identity is required for a lot of basic needs. As the world is become more globalized, these issues are a lot more prevalent.
> and I think most of why it's hard is human rather than technical
Yes but I don’t see why that’s so surprising. It’s the identity of humans that’s the problem.
FWIW I think email is fantastic as identity, compared to the abysmal state of the alternatives. It doesn’t change when you cross a border like phone numbers. It’s not perfect when it comes to self-sovereignty and account recovery.
> Passports are really the primary identity layer of Earth.
Umm, I'm not they're not that great as a primary identity either.
One edge case is that you can have have more than one valid passport for the one nationality. Another is of course that one can have more than one nationality.
They restrict people to a single immutable identity, that may not conform to other governments, that may not accommodate different languages and character sets, that are not flexible of gender, that do not reflect relationship types that aren't typically monogamous... the list goes on.
They offer a poor base implementation that is only sufficient due to the legal identity seldom actually being needed online. Which is a good thing, because identity theft would be so much worse if that was everywhere.
In the UK we don't have as fixed an idea of an identity as people think, Cherie Blair is also Cherie Booth Q.C. , Elton John is also Reginald Dwight, and for both people, both identities are real identities and sufficient to get bank accounts in the name of, it's only when it comes to a tax record and passport that you are reduced to a single identifier, but who is to say that the name on that is the preferred name of a person?
My bank account, bank card, accounts on most of my things, do not match my passport and birth certificate.
Long lasting usernames across websites is the worst for privacy though, unless the username is not public. In general, it's best if the unique identifier is only known to the user.
I've seen quite personal details being leaked because sometimes even smart people don't realise how easy it is to cross-reference given a unique username.
This isn’t a technology problem. We just need to put our foot down as a society and make tracking as illegal as sexual harassment/assault and aggressively and visibly punish and shun companies that abuse you. There isn’t a technology that magically makes you safe for creepy internet stalkers.
I think email plus a robust protocol for resolving changes works as good as can get.
For important stuff like banks and pensions they also have phone and physical address, so there’s a way to reconcile things like email changes, as rare as they are.
US example. Financial services orgs have your social security number. Perhaps they should be able to forward a message to the US gov to forward it to the citizen stakeholder through a government messaging delivery platform. This ensures continuity of communication but does not allow orgs to lookup emails with loose data governance (and all that leads to).
Login.gov is very good from a federal gov idp perspective, and I’m hoping it slowly develops into supporting a national ID and ubiquitous identity proofing to squash identity fraud but also streamline gov digital service delivery.
Government has failed to adapt with modern times and technology and has failed to provide modern and secure identification and authentication services for citizens.
I log in with my bank credentials to access my government tax account, talk about a total failure to do your job from the people still using SIN as an important piece of identity for some of the most important aspects of life.
This is a solvable problem. Governments can adapt and use modern technology to provide identity and authentication services, but they do not.
In my opinion this is a failure to be responsible for core government services, and I can only speculate why.
> Governments can adapt and use modern technology to provide identity and authentication services, but they do not.
At least in many EU countries, they are adapting. I'm a fairly happy user of Irish myGovID (OIDC) and ROS (X509 "sign this message with your private key" challenge), and Polish Profil Zaufany (I think OIDC or CAS?).
The issues I see are:
- Each country has its own system, some documented, some not so much, some use OIDC, some SAML, some something more obscure.
- As an individual who moved countries, you end up with multiple accounts.
- As a developer you cannot easily register your own OIDC app. Send an email to some ministry and hope for the best. If you aren't part of government yourself, you may be out of luck.
Pretty much everything is moving to UUID of sorts including Google auth.
It's tricky because you often need to let people reference username/emails for mentions and etc, so you just have to index all of em and translate to UUIDs for references behind the scenes.
It gets extra tricky with APIs. Consider AirPlane.dev which let's you specificy approvers via email. Now a user changes their name and their email. Well, that "IaC" suddenly references an invalid email or worse a different user because jane.doe joined after jane.doe-brown got their new email.
Also, it is good to keep concepts of account ID, public username, and login username separate. By using random account ID, can change the other values. Most accounts want email but don’t have to make it user name. Or people have multiple accounts and makes sense to have email reused.
For login, it can help to have multiple methods. Then people can change from OIDC to password, or between providers.
It’s useful to have your own domain with your own email so it stays with you as long as you like, beyond work emails.
Being a tolerated guest who pays little to none in someone’s servers is another issue.
Most large email providers are more like digital identity providers, and being a citizen of one of these big digital countries is neither democratic or setup for your long term preferences.
> It’s useful to have your own domain with your own email
Until you've forgotten to renew, or were to sick too renew, or the domain is hijacked. I've had my domain for over twenty years, and I've come way too close to losing it at least twice.
The only “safe” email host is the one you run yourself or pay for with actual dollars, not data.
The hard part is taking your second paragraph to action. Most people are not ready for that conversation because the major freemail providers have been in service for such a long time that most people really can’t grasp the concept that email is something you have to pay for.
I really blame a lot of that on Google from the very beginning. Gmail, and essentially all free mail providers, are what they are today because of the precedent Google set and the only way companies were going to be able to compete with that was to also make their email services free.
It would be so much easier for normal people if all service providers allowed you to add multiple email adresses or other aliases to the account.
You can easily lose access any particular email address, even if it's on your own domain. Losing access to all your email addresses and phone numbers at the same time is far less likely.
Have you heard of key event receipt infrastructure (KERI)?
It solves the identity problem with decentralized identifiers though the secret sauce is the fractionally weighted multisig for enabling multi-device signing and account recovery with key rotation.
Spotify let's you add separate login methods. I have my email+pw set up as well as login with Apple and login with Facebook. They all log into the same account and all have the same permissions once logged in.
FaceID and touchID for iOS works pretty seamlessly nowadays for authenticating stuff e.g. mobile payments/banking, etc. and are pretty robust from being spoofed/hacked (uses depth sensor?). Why can’t we create some privacy agnostic universal FaceID to do away with passwords and usernames?
The UK has no formal universal government provided ID system. The UK does allocate National Insurance numbers, but those are specifically not to be used as ID in part because they don't have a face associated with them. Driving licenses exist but are optional, and need regular replacement e.g. when moving address. Names are something you can change on a whim for a bet. Passports have to be updated if your appearance changes significantly, and in any case you don't keep the same one if you change nationality.
maybe you are in Scandinavia, but many countries do not even have a centralised register of births, deaths, marriages... and so they do not have a centralised and canonical record of identity of all people in the country.
Sometimes, the country you are in changes even though you are in the same geographical location. I've had my email address for over a decade longer than the current countries of Serbia, Montenegro, Kosovo and South Sudan have existed.
> they want to be able to choose non-unique ones rather than end up with user53267 or something inane.
Disagreed. I'm 39. I've known hundreds of people (HS, college, etc) and many close friends who willingly made email accounts like "brijacks85" (their birth year) or "sammichelson212" even when their actual names were still fully available on yahoo/gmail/hotmail, etc. I used to regularly create email accounts for these people using just their names and then ask "why didn't you just check your own name first?" and they'd usually just shrug with total indifference and never use the account I made for them.
I'd never use an account someone else made for me either. Who knows if after you created it, you added some recovery questions or a recovery email or saved the login cookie or who knows what else? I'll stick with my fresh account made on my own PC through my own connection, thanks.
When you get the simplest variation of a name on a popular site you’ll receive mail from all the mistaken folks who weren’t careful enough.
Similarly, I get a small fraction of the mail of a texas lawyer, because her email address string is a super set of mine, and some percentage of her clients don’t bother or notice the need to add the extra suffix.
What if every newborn received a chip implant under the skin (cryptographically unbreakable, unauthorized removal punishable by law), linked to a central government database with the chip’s unique identifier and a profile of the newborn’s DNA signature?
What is the best approach to dealing with this problem as an individual?
Gmail? You might randomly get locked by some AI algorithm (or you might get banned!), or something else goes wrong, and there's no recourse.
Yahoo? I recently lost access to mine because they decided to start demanding verification with a deactivated email I haven't had access to for 15 years in order to login. Luckily, I had access in an email client, so I was able to migrate all the important accounts off of it.
Yahoo/AOL/Tutanota/Protonmail/Many others? These ones will auto-delete your account if you don't login frequently enough (not protonmail yet, but they allow it in their TOS)
Self-host? All self-hosting infrastructure requires an email in the first place. Lose access to that email, lose access to payment reminders, potentially your hosting account. I nearly lost my domain since the payment reminders went to an email that I rarely check because it doesn't support IMAP. And there is a greater increase of hacking unless you're a professional sysadmin and have plenty of time for maintenance.
Duo push? Your phone breaks.
SMS verification? Phone breaks, lose access to your plan, compromised employee gives your codes away, etc.
I've settled on using my university gmail address since (1) they promise alumni can keep it and (2) if something goes wrong with it (likely losing 2-factor by losing my phone), there is a good alumni support center. There really needs to be a human I can talk to somewhere. Still not sure if this is the best approach; am I still at risk from Google here?
You are missing the best solution which is your own domain and hosted email like Gmail. If you get locked out like you said, “just” change providers and you lose at most a couple of hours of emails.
Here's an additional problem with using your own domain: some websites (Discord for example) require you to contact support using the email tied to your account. Many corporate systems will reject emails from "untrusted" domains, so you won't be able to contact them.
What about iCloud? I guess in theory they can ban your account, but at least with apple I feel like you generally have some recourse and can talk to a human.
There are two issues I ran into after setting up iCloud mail for someone else:
1. Apple’s spam filtering can be very proactive, and the only way to (allegedly) influence it is to move false positives back to the inbox. There are no settings to whitelist addresses (having them in Contacts doesn’t work reliably) or to turn off spam filtering altogether. As often with Apple, you have to accept their design choices of how they think stuff should work, and can’t do much about it.
2. If you’re transferring or forwarding emails from another account, Apple has a 20 MB email size limit while it’s 25 MB for GMail, which means there may be emails that can’t be transferred.
In any case, I would recommend having your own domain and choosing email providers that support custom domains. That way, you can switch email providers at will while retaining your existing email address(es).
Agreed that emails aren't a good permanent identifier. Though using phone numbers as any part of identification is even worse. I've had the same email for almost two decades (through my own domain name), but I've gone through nearly a dozen phone numbers in the same time period, and regularly find that a website has opted me in to 2fa with an old number, or I've forgotten they had an old phone number to begin with.
I am currently paying a ~$150 per month "tax" to AT&T to keep my US number while living abroad just so I can get login codes for websites that still have that number, and out of fear that if I dump it I'll lose access to some occasionally vital service that I've forgotten to update, or I can't because you need to have a US number.
> I am currently paying a ~$150 per month "tax" to AT&T to keep my US number while living abroad just so I can get login codes for websites that still have that number
Port it to a VoIP company like DIDww, spend $2.50/month, and received SMS can end up in your inbox if you wish.
If you ever want the number on a mobile account again, port it back out to your choice of carrier.
You don't need to pay that much to keep a US number for use abroad. Convert any 2fa you can to use an app like Google Authenticator, then convert your number to Google voice. You can get text messages for free using your old number that way. If you don't want Google involved at all, there are many other time-based authentication apps and you can use www.tossabledigits.com for texts.
The problem with your idea is there are lots of services that blacklist VoIP #'s like Google Voice from being used for 2FA. They also don't have modern 2FA options like TOTP.
Agree with poweroffuet, to try to convert to VoIP. I was lucky on one house move, where my personal office phone number was not acceptable to new area, but I was able to transfer to a VoIP account. At the time internet was slow so after awhile, I quit using the Ethernet phone adapter, and just used that number for receiving calls. Voice and fax calls are all sent to me by emails. It's been over 20 years now.
Works great. (Since I don't have a device to connect, my yearly fee is fairly low.)
I assume that at some point I could always hook up telephone, and take advantage of the modern internet. Although, I really like this system, and it isn't connected to any particular location.
Which is why you buy a domain for $10/yr and use the "custom domains" feature of your email
host.
Like it sucks that getting a permanent identifier is an annoying technical process but DNS is the closest thing to a universal global identifier you can own in a meaningful sense.
This is my experience as well. A random UUID is best IMO. Even a hash of the user's initial email isn't ideal since salting may not be enough, and others may assume they can safely hash any incoming email.
Is there ever a reasonable case for a "natural ID" like we were taught in database school? In my working experience, I always use either an autoincrementing integer or a random string / uuid as the primary key.
Sure, so long as that ID actually identifies the thing in question. Email addresses ARE a great natural ID for an e-mail mailbox. If you want to store a history of what e-mails a particular address has received, they're great. They are not a good identifier for a user since they don't describe the same thing, just two things that happen to coincide right now.
A few examples come to mind: geographic regions that already have codes or abbreviations associated with them (e.g. a FIPS code or state abbreviation in the US), simple enums (though I really only bother putting these in a table if they’re used in multiple places). Have to be careful using a string as the clustered index of a large table, though. Smaller tables with shorter string keys that experience very few writes are most ideal for these cases.
The only natural key a human being will normally be able to follow is their DNA, and I still think chimera-ism or tissue donation or other genetic anomalies might make even that inconsistent.
Most natural keys that identify dimensions of your data are slowly changing anyway - an address isn't a permanent fixture of a building, an area code splits, nations go to war, daylight savings changes on a whim, laws change, rules change, our understanding of the universe changes.
1. Built-in Deduplication. If your ID describes the "thing that it is" handling deduplication is much easier. Of course you can try to enforce it by enforcing uniqueness on other columns (but that's not always possible / can get tricky).
2. Save a DB trip on updates/some creations / make indexing more explicit. E.g. say you are user with email address and you want to update some info. Either you run an update using the email directly (in which case you are treating it as a PK essentially even if you don't call it that) or you first retrieve the relevant PK by whatever logic (say indexing by email and name or whatever) at which point you do have an implicit natural key.
In my experience every time I have seen a "corporate" DB with non natural key you get a LOT of duplication and all sorts of services to try to resolve entities running in a batch way (the horror..).
And 2 leads to a lot of bugs because of the implicit nature where you accidentally update the wrong or multiple rows because you didn't know what the implicit uniqueness "key" entailed.
One notable problem with user ids is that they tend to leak to users in some way. Because of this, it's really easy for competitive intelligence companies to bot create accounts just to get a feeling of new user growth if you're naively using auto increments. This maybe fine mom and pop sites, or sites where somehow the UID never leaves the middleware, but the reality is that using sequential IDs or hashes of them without salt aren't great for this reason.
Yep, the only way to ensure that your identifiers are "permanent" is to choose them such that people have zero reason to change them. They should bear no relationship to any real-world feature that people care about, such as phone numbers, email addresses, national IDs, names, fingerprints, etc.
Random strings fit the bill perfectly. Sequential integers also work fine, except they are easy to guess, so you might need additional security measures.
What if: We had support for public key e-mail addresses, something like <pk-12345@gmail.com>. But also <pk-12345@hotmail.com>. With online services treating them both as equivalent, so I could login or do account recovery with one after signing up with the other. Google bans me or hotmail goes out of business, and I can go to the other service and authenticate with my private key to open the same account there.
Obviously, we'd want some sort of aliasing process so we can have a convenient name, but we probably want mail clients to map those addresses or at least track them with their public key.
Could even end up being a shoehorn for E2E encrypted e-mail, which never really seems to have caught on in any big way.
This would require some big players to support it to get anywhere, but from a brief thinking about it, it seems solid. Other than that nobody has support for it yet...
I am surprised with this thread on hacker news no one has mentioned the decentralized identity foundation - https://identity.foundation/
There are efforts underway to create new ways of identifying and communicating via web where you own your identity, and are not depending on a provider or central authority.
One of my previous energy providers (British Gas, owned by Centrica) didn’t allow an email address to be used for more than one physical address.
When I moved and tried to “set up” my online account I kept getting HTTP 500s when trying to view details about my current address. On the phone they told me “sorry, you can’t use the same email address for multiple [postal] addresses”, even with closed energy accounts from previous addresses.
We're actually in the process of changing around our email system to allow for multiple associated email addresses with an account right now.
One of the main reasons for this is that we provide a student discount for people, and the easiest way to apply that to an account is by checking if their email is an educational one (.edu, .ac.uk, etc). However most people don't seem to want to actually signup with that email. So by allowing multiple emails we can have the best of both worlds! Wish we had done it this way in the beginning.
Be aware that at least in the US, many people who graduated from university can get an .edu alumni forwarding address. I have a rather cool one. I got in early on and it’s just my first name. I don’t use it much though. In the early days the forwarding made it sometimes unreliable although I assume it’s better now. And the reality is my gmail address has been stable over a couple decades at this point and I don’t see that changing.
I give out my edu address to very few people in any case.
Thanks for the heads up. We're aware, but tbh are not that worried about it. If someone that has already graduated is keen to get a student discount, I'm happy to let them. They feel like they're beating the system, and we still get paid. Luckily we're not running a business where the educational discount users are some sort of loss-leading onramp that we expect to make money on once they graduate – they're still profitable even at 50% off.
Currently we actually require manual verification (sending in a student ID to our Intercom) if you didn't sign up with a educational email, and I'm deliberately overlooking the proofs that are clearly invalid. I barely even glance at them. The other day day someone sent me a student ID that was 4 years expired and I just applied the discount and moved on with my day haha. If you send me a PDF called "student_id.pdf" I'll probably give you the student discount. That's part of the reason we're adding this system – we've gotten so lazy that requiring people to go the email verification route will probably be a stricter improvement on the status quo if most users go that route.
There is a client-side solution, even if not the most elegant.
I'm paying a domain, this way i have 100% control of my e-mail alias, even if my current provider (google) goes south, i'm still able to host the mail on my own server to retrieve accounts, and maintain ownership or the alias
You can usually automate the renewal or buy for a long period.
But mistakes can never be completely avoided.
What if you accidentally transfer this domain to someone instead of another domain you sold them? What if you accidentally lose access to the registrar's website? What if.....
What if I want to change the domain? My org changed its domains twice in five years I've been there, and porting e.g. imports in all of the internal Golang porjects was not a funny experience.
Readit News
Emails change, people lose access to old emails.
People dislike usernames, they want to be able to choose non-unique ones rather than end up with user53267 or something inane.
People lose devices, just storing a secret UUID in their cookie, or using a passkey from their device isn't going to work.
There is no ideal solution except to blend a variety of things together, for some people email is pretty stable for long time and they like it as the identity, for others their usernames are stable and they prefer that as the identity... though I know of no-one that has had the same primary device for more than years (not decades) so perhaps that one will never work.
I do think this is important though, where it comes up a lot is a work email account, a first.last@company.com, and how all of the vendor software utilises "Sign in with Google", and it's the email address they then store in the vendor app as the identifier...
People get married, people get divorced, people transition, people move culture and choose new names... names change, and so do email addresses.
Perhaps OIDC and the like needs a new extension: a standard API to change a username, and a standard API to change an email address.
And even those change
As someone that once faced serious jail time for plants, I think that would have been a nice option, but I wasted two years of my life in court/etc.
https://www.youtube.com/watch?v=eWPtAJS1kro
Dead Comment
Of course this means that an ID token should not contain an e-mail address under `sub`.
This is extra fun when the company in question does a lot of their business offering complicated accounts to customers, and has an external facing identity solution that deals with all of this easily: just not for their own workers, including those maintaining the external-facing identity system.
The shoemaker's children always go barefoot
Because it was trivial to impersonate someone. The old usernames supported full UTF-8, enabling a wide variety of attacks.
And by paying for nitro, you could choose the numbers too, so step 1. Find someone you want to impersonate, copy their username, and replace one character with a visually identical one, but a different one. Step 2 - pay for nitro, and choose the numbers too.
As usual, malicious actors are the reason why we can’t have nice things.
1. Use a guid-like value as your internal identifier. All internal references in your databases to a user should use that.
2. Use a second user friendly identifier for the user to login (i.e. Email). Feel free to rebind this if the user needs to change it. Keep a 1-to-1 relationship between the two.
Not sure what the gripe is here, especially with a one year notification period.
The real problem, though, is that we seem to need digital identity solutions to be perfect as opposed to “good enough”. No solution is perfect and we’ll be stuck on email as long as the enterprise security nuts (who need everything device-bound and vendor attested) and anon-in-the-ether privacy schoolers (who think any stable identifier whatsoever is a heinous crime) are part of the conversation.
Imagine if everyone just used mobile drivers licenses issued to whatever self-sovereign wallet the user chooses. Identity issuing, revocation, and recovery is then handled by all the things society has already built to handle meatspace identity. Account recovery involves a trip to your local gov’t office to re-issue your ID credential. Which means you need some chain of trust to your birth certificate. You’re going to treat your mDL credential wallet with a lot more reverence if that’s the recovery flow, so some of these problems solve themselves if we stop using punk short-names everywhere online.
Relying parties that need human uniqueness, age, and/or nationality guarantees use the mDL verifiable credential. Law probibits relying parties from aggregating and selling/transferring information obtained for purposes of authentication from a VC. Ad-tech privacy problem solved.
Services that don’t need proof of human uniqueness etc. can just skip the VC part of the equation and use basic passkeys and implement short-name reclamation.
A permanent identity comes with many additional mechanics, far beyond just a stable identifier. The biggest one is post karma (including likes): IMO it's at the core of almost everything what's wrong with the modern web. It introduces vile personal and group incentives and leads to an eventual destruction of any honest conversation. While this mechanic exists on public forums, I won't use a permanent identity.
But why do you need to tie it to your driver's license? Tie it to whatever kind of account recovery token you like, put that in a safety deposit box at a bank (available for ~$20/year), and then you can get access to that with your government ID if all else fails.
This requires no new infrastructure to screw up or get broken into and doesn't tie your internet activity to your name while still allowing you to use your name to recover your accounts.
> Relying parties that need human uniqueness, age, and/or nationality guarantees use the mDL verifiable credential.
This is variously unnecessary and ineffective.
The correct way to do age verification is to ask the client's browser if the user is a minor. If the user is a minor, either their parents will have configured the device to answer truthfully or the minor has access to an adult willing to allow it, against which no remote system is secure anyway because the adult has an adult ID.
This is the same reason human verification doesn't work like that. You still have no idea if you're talking to a human, all you know is the device on the other end has somebody's ID attached. Individuals who aren't supposed to be using AI still have a human ID and criminal organizations not only have their own IDs but also any they can steal.
It's not clear why proving nationality over the internet is necessary but most of the obvious use cases are dystopian and requiring you to visit a physical office once in your life to prove your nationality to some bureaucracy (after which you can use your account) seems like a minor burden -- and more secure -- than trying to do this.
That kind of system is not worth the candle. The tracking risk is large, the benefit is small, there are too many ways to screw it up and it would inevitably be politically compromised and hard to change.
Depends on the implementation. Some passkeys are device bound. The free ones, typically. Unless you trust Apple and Google to preserve and protect private keys.
Is there anywhere to follow progress on this? I don't think anyone actually implements import/export of passkeys yet.
Ideally in a perfect world we'd have governments run OIDC systems similar to the US login.gov and these would delegate from an international master OIDC system at the UN. Everyone would have their citizenship passport ID and their UN ID, and the latter could serve as a "break glass" master key to support immigration and also limit the ability of countries to "digital death penalty" people.
I can think of some dystopian outcomes here, but IMHO they are not worse than the dystopian outcomes that come from corporate monopolist control of digital identity. At least in democracies one has some nominal influence over one's government and the latter is bound by the rule of law, and if you don't live in a democracy you can (or should be able to) leave.
You're right that identity is hard, and I think most of why it's hard is human rather than technical. One could create a decentralized identity layer from a block chain fairly easily but people would lose their keys etc.
Fake ids are a thing and the quality depends on how much you spend. Governments also have reasons to lie about identity themselves (think spies).
A true identity solution means being able to cross reference your identity across multiple entities (federal government, state and municipal, employers you’ve worked for, businesses you’ve interacted with, etc etc).
I'll reconsider once the corporate death counts begin to match the governmental ones but until then I'll take my chances.
Also in the UK various government types have tried to bring in national ID and the people rebel. People eh?
Immigration doesn’t work that way. You don’t lose or transition from one identity federation to another. You maintain both, typically for the rest of your life.
My personal wishlist is that decision makers and designers of identity systems must include people with real world experience of multiple nationalities, tax residencies, migration and so on.
Currently, these systems are already built on false premises and immigrants suffer a lot – not only because of malice but to a large extent because the bureaucrats didn’t think like security-minded engineers. The edge cases are extremely important when it comes to identity, because identity is required for a lot of basic needs. As the world is become more globalized, these issues are a lot more prevalent.
> and I think most of why it's hard is human rather than technical
Yes but I don’t see why that’s so surprising. It’s the identity of humans that’s the problem.
FWIW I think email is fantastic as identity, compared to the abysmal state of the alternatives. It doesn’t change when you cross a border like phone numbers. It’s not perfect when it comes to self-sovereignty and account recovery.
Umm, I'm not they're not that great as a primary identity either.
One edge case is that you can have have more than one valid passport for the one nationality. Another is of course that one can have more than one nationality.
They restrict people to a single immutable identity, that may not conform to other governments, that may not accommodate different languages and character sets, that are not flexible of gender, that do not reflect relationship types that aren't typically monogamous... the list goes on.
They offer a poor base implementation that is only sufficient due to the legal identity seldom actually being needed online. Which is a good thing, because identity theft would be so much worse if that was everywhere.
In the UK we don't have as fixed an idea of an identity as people think, Cherie Blair is also Cherie Booth Q.C. , Elton John is also Reginald Dwight, and for both people, both identities are real identities and sufficient to get bank accounts in the name of, it's only when it comes to a tax record and passport that you are reduced to a single identifier, but who is to say that the name on that is the preferred name of a person?
My bank account, bank card, accounts on most of my things, do not match my passport and birth certificate.
Example: https://instantusername.com
I've seen quite personal details being leaked because sometimes even smart people don't realise how easy it is to cross-reference given a unique username.
Google doesn't reuse usernames so if they are still around - in a few decades pretty much all unique usernames will belong to dead people.
For important stuff like banks and pensions they also have phone and physical address, so there’s a way to reconcile things like email changes, as rare as they are.
Login.gov is very good from a federal gov idp perspective, and I’m hoping it slowly develops into supporting a national ID and ubiquitous identity proofing to squash identity fraud but also streamline gov digital service delivery.
Government has failed to adapt with modern times and technology and has failed to provide modern and secure identification and authentication services for citizens.
I log in with my bank credentials to access my government tax account, talk about a total failure to do your job from the people still using SIN as an important piece of identity for some of the most important aspects of life.
This is a solvable problem. Governments can adapt and use modern technology to provide identity and authentication services, but they do not.
In my opinion this is a failure to be responsible for core government services, and I can only speculate why.
At least in many EU countries, they are adapting. I'm a fairly happy user of Irish myGovID (OIDC) and ROS (X509 "sign this message with your private key" challenge), and Polish Profil Zaufany (I think OIDC or CAS?).
The issues I see are:
- Each country has its own system, some documented, some not so much, some use OIDC, some SAML, some something more obscure.
- As an individual who moved countries, you end up with multiple accounts.
- As a developer you cannot easily register your own OIDC app. Send an email to some ministry and hope for the best. If you aren't part of government yourself, you may be out of luck.
It's tricky because you often need to let people reference username/emails for mentions and etc, so you just have to index all of em and translate to UUIDs for references behind the scenes.
It gets extra tricky with APIs. Consider AirPlane.dev which let's you specificy approvers via email. Now a user changes their name and their email. Well, that "IaC" suddenly references an invalid email or worse a different user because jane.doe joined after jane.doe-brown got their new email.
For login, it can help to have multiple methods. Then people can change from OIDC to password, or between providers.
Being a tolerated guest who pays little to none in someone’s servers is another issue.
Most large email providers are more like digital identity providers, and being a citizen of one of these big digital countries is neither democratic or setup for your long term preferences.
The only “safe” email host is the one you run yourself or pay for with actual dollars, not data.
The hard part is taking your second paragraph to action. Most people are not ready for that conversation because the major freemail providers have been in service for such a long time that most people really can’t grasp the concept that email is something you have to pay for.
I really blame a lot of that on Google from the very beginning. Gmail, and essentially all free mail providers, are what they are today because of the precedent Google set and the only way companies were going to be able to compete with that was to also make their email services free.
You can easily lose access any particular email address, even if it's on your own domain. Losing access to all your email addresses and phone numbers at the same time is far less likely.
It solves the identity problem with decentralized identifiers though the secret sauce is the fractionally weighted multisig for enabling multi-device signing and account recovery with key rotation.
See the specification for more details: https://www.ietf.org/id/draft-ssmith-keri-00.html
Or the whitepaper: https://github.com/SmithSamuelM/Papers/blob/master/whitepape...
I think it's a good solution.
This is why I think email addresses are "good enough" - you can always spin up a new one for each identity you want to inhabit.
Deleted Comment
There absolutely is a good identity, and it's one provided by countries.
If my country did not like your country I will not be able to connect to your stuff?
A never ending must of problems ahead.
Exactly the analogy I had in mind. email primary keys are "serial monogamy". Or if you want a mathematical analogy, piecewise constant :)
Disagreed. I'm 39. I've known hundreds of people (HS, college, etc) and many close friends who willingly made email accounts like "brijacks85" (their birth year) or "sammichelson212" even when their actual names were still fully available on yahoo/gmail/hotmail, etc. I used to regularly create email accounts for these people using just their names and then ask "why didn't you just check your own name first?" and they'd usually just shrug with total indifference and never use the account I made for them.
But some also large number of people are not.
Similarly, I get a small fraction of the mail of a texas lawyer, because her email address string is a super set of mine, and some percentage of her clients don’t bother or notice the need to add the extra suffix.
See for example UK id cards scrapped in 1952 and again in 2010
>...very unpopular with the public, and was regarded as an alien imposition on the British way of life. https://www.politics.co.uk/reference/identity-cards/
Deleted Comment
Gmail? You might randomly get locked by some AI algorithm (or you might get banned!), or something else goes wrong, and there's no recourse.
Yahoo? I recently lost access to mine because they decided to start demanding verification with a deactivated email I haven't had access to for 15 years in order to login. Luckily, I had access in an email client, so I was able to migrate all the important accounts off of it.
Yahoo/AOL/Tutanota/Protonmail/Many others? These ones will auto-delete your account if you don't login frequently enough (not protonmail yet, but they allow it in their TOS)
Self-host? All self-hosting infrastructure requires an email in the first place. Lose access to that email, lose access to payment reminders, potentially your hosting account. I nearly lost my domain since the payment reminders went to an email that I rarely check because it doesn't support IMAP. And there is a greater increase of hacking unless you're a professional sysadmin and have plenty of time for maintenance.
Duo push? Your phone breaks.
SMS verification? Phone breaks, lose access to your plan, compromised employee gives your codes away, etc.
I've settled on using my university gmail address since (1) they promise alumni can keep it and (2) if something goes wrong with it (likely losing 2-factor by losing my phone), there is a good alumni support center. There really needs to be a human I can talk to somewhere. Still not sure if this is the best approach; am I still at risk from Google here?
1. Apple’s spam filtering can be very proactive, and the only way to (allegedly) influence it is to move false positives back to the inbox. There are no settings to whitelist addresses (having them in Contacts doesn’t work reliably) or to turn off spam filtering altogether. As often with Apple, you have to accept their design choices of how they think stuff should work, and can’t do much about it.
2. If you’re transferring or forwarding emails from another account, Apple has a 20 MB email size limit while it’s 25 MB for GMail, which means there may be emails that can’t be transferred.
In any case, I would recommend having your own domain and choosing email providers that support custom domains. That way, you can switch email providers at will while retaining your existing email address(es).
Apple is a long-time, reliable email provider, and the transition from Google Workspace to iCloud+ custom domains was straightforward with `imapsync`: https://blah.cloud/miscellaneous/migrating-google-workspaces...
I am currently paying a ~$150 per month "tax" to AT&T to keep my US number while living abroad just so I can get login codes for websites that still have that number, and out of fear that if I dump it I'll lose access to some occasionally vital service that I've forgotten to update, or I can't because you need to have a US number.
Port it to a VoIP company like DIDww, spend $2.50/month, and received SMS can end up in your inbox if you wish.
If you ever want the number on a mobile account again, port it back out to your choice of carrier.
I don't know why you're paying so much - you can just port the number to a VIOP provider and pay a few bucks a month.
Even for a normal phone service that's exorbitant - I pay less than $100/month for two lines.
Like it sucks that getting a permanent identifier is an annoying technical process but DNS is the closest thing to a universal global identifier you can own in a meaningful sense.
Switch to a FLOSS OTP solution and/or Fido2 key. If you’re service providers don’t accept them, replace them with one who does.
Most natural keys that identify dimensions of your data are slowly changing anyway - an address isn't a permanent fixture of a building, an area code splits, nations go to war, daylight savings changes on a whim, laws change, rules change, our understanding of the universe changes.
1. Built-in Deduplication. If your ID describes the "thing that it is" handling deduplication is much easier. Of course you can try to enforce it by enforcing uniqueness on other columns (but that's not always possible / can get tricky).
2. Save a DB trip on updates/some creations / make indexing more explicit. E.g. say you are user with email address and you want to update some info. Either you run an update using the email directly (in which case you are treating it as a PK essentially even if you don't call it that) or you first retrieve the relevant PK by whatever logic (say indexing by email and name or whatever) at which point you do have an implicit natural key.
In my experience every time I have seen a "corporate" DB with non natural key you get a LOT of duplication and all sorts of services to try to resolve entities running in a batch way (the horror..).
And 2 leads to a lot of bugs because of the implicit nature where you accidentally update the wrong or multiple rows because you didn't know what the implicit uniqueness "key" entailed.
Random strings fit the bill perfectly. Sequential integers also work fine, except they are easy to guess, so you might need additional security measures.
Dead Comment
Obviously, we'd want some sort of aliasing process so we can have a convenient name, but we probably want mail clients to map those addresses or at least track them with their public key.
Could even end up being a shoehorn for E2E encrypted e-mail, which never really seems to have caught on in any big way.
This would require some big players to support it to get anywhere, but from a brief thinking about it, it seems solid. Other than that nobody has support for it yet...
There are efforts underway to create new ways of identifying and communicating via web where you own your identity, and are not depending on a provider or central authority.
When I moved and tried to “set up” my online account I kept getting HTTP 500s when trying to view details about my current address. On the phone they told me “sorry, you can’t use the same email address for multiple [postal] addresses”, even with closed energy accounts from previous addresses.
One of the main reasons for this is that we provide a student discount for people, and the easiest way to apply that to an account is by checking if their email is an educational one (.edu, .ac.uk, etc). However most people don't seem to want to actually signup with that email. So by allowing multiple emails we can have the best of both worlds! Wish we had done it this way in the beginning.
I give out my edu address to very few people in any case.
Currently we actually require manual verification (sending in a student ID to our Intercom) if you didn't sign up with a educational email, and I'm deliberately overlooking the proofs that are clearly invalid. I barely even glance at them. The other day day someone sent me a student ID that was 4 years expired and I just applied the discount and moved on with my day haha. If you send me a PDF called "student_id.pdf" I'll probably give you the student discount. That's part of the reason we're adding this system – we've gotten so lazy that requiring people to go the email verification route will probably be a stricter improvement on the status quo if most users go that route.
I'm paying a domain, this way i have 100% control of my e-mail alias, even if my current provider (google) goes south, i'm still able to host the mail on my own server to retrieve accounts, and maintain ownership or the alias
But mistakes can never be completely avoided.
What if you accidentally transfer this domain to someone instead of another domain you sold them? What if you accidentally lose access to the registrar's website? What if.....