"User privacy is enhanced as the issuer does not learn which web application is making the request as the request is mediated by the browser."
Every web application nowadays send you a welcome, onboarding, reminder after the verification. (No user privacy enhancement)
So we get a new process that solves nothing, but makes everything complicated. (And complicated helps the big and hurt the little in th long run)
Not verified but feels like a Google draft that closes the web.
The convenience advantage is significant, and it goes farther than convenience, since it’s very common for services to have their verification mail blocked or sent to spam. (Bonus pain: there’s no user-visible difference between delayed and blocked mail.)
The privacy advantage is also significant and real: no, not every web app sends an onboarding reminder, and the current state of web apps came to be without this functionality, so you can expect behaviour changes for those services that value the privacy, plus new services/authentication options to spring up that weren’t previously possible.
> it’s very common for services to have their verification mail blocked or sent to spam
So instead, there’s no verification mail and it’s the next message, the one that you actually wanted, that gets blocked or sent to spam.
The “privacy advantage” that the issuer can’t learn the identity of the application that wants to send mail seems to me to be a significant functional liability. If it instead produced a token that said to the email service provider “see, the message was invited”, now that would be useful. (It would raise concerns of its own, but it would at least be useful.)
> The privacy advantage is also significant and real
Depending which privacy, currently if I input a email into xyz noone can trust that this email belongs to me.
In the future every email input can verify if the mail belongs to me, that scream abuse and more new things that try to fix the old.
I thought this initially, the privacy thing looks like a non issue and is confusing. But the advantage is stated in the preceding paragraph. The user doesn't need to leave the signup flow and doesn't need to open their email.
The auth mechanism flows through the cookies, assuming the email provider offers a web browser and the user is signed in this could be seamless, although I'm not certain the cookie could be safely read cross site without risk or without being blocked by the browse
It wouldn't be simple to implement but not impossible, and it sounds like it would cost nothing to the user, it could work behind the scenes. Like as a user you are logged in to gmail or zoho mail in your browser. You sihn up for another service and you didn't get a confirmation email, just a welcome email. No fucks are given, it just works.
Mobile does this with autofilling auth codes sometimes with sms, so there's precedent.
Congrats OP the idea looks feasible. I'm usually the ackshually guy looking for the nitpick, but it looks nice. Will check the technicals later, cause the devil is in the details.
I think there is benefit to this because folding some identity primitives into the browser helps the user (in UX, in security). This was certainly true of password managers.
The other comments talk about how you will need to have a fallback. That is certainly true. But just because you have to have a fallback doesn't mean you can't improve things.
> Every web application nowadays send you a welcome, onboarding, reminder after the verification. (No user privacy enhancement)
But would they need to if they could trust info coming from the browser?
I can't tell you how many times email verification context switches made me completely lose track of what I was doing.
There's literally no worse context switch than having to go into your inbox, wait for an email, then come back to the appropriate tab to complete registration or login.
There are probably dozens, maybe hundreds, of services I never finished registering for all on account of this problem.
I worked authc/authz and security for a large fintech and we constantly butted heads against the growth folks. They fought hard and eventually won the right to do account creation and IDV without email verification. You don't have to verify your email until you're already making transactions, and that does wonders for growth. We're still accountable for all the stringent KYC regulations, of course.
And when a customer fat fingered their email address and that fintech company didn't bother verifying email addresses, policy probably prohibited granting a request from the email address owner to remove their address from the account because they're not the financial account owner. Fortunately for that company, financial institutions seem to avoid Gmail's spam filter no matter how many times I mark those emails as spam.
What's worse is that the email is often delayed at the sender (cheap bulk email services) or the receiver (gray listing), but for no reason I can fathom have a short expiration date.
What's worse they are often unique AND delivered out of order AND have no timestamp or sequence number. So you get to guess which is the newest, using any other fails, and the ones that succeed often time out before they can be used.
Having an expiration date as short as 15 minutes seems insane and counter productive.
> There's literally no worse context switch than having to go into your inbox, wait for an email, then come back to the appropriate tab to complete registration or login.
Then it's something maybe the customer isn't interested in the first place.
Most of the time mail just works for me only issues are sometimes greylisting and it takes hours.
I can understand it from the company side, but not sure how well it really works when someone use a mail app on mobile and on desktop not even logged into the mail account.
Cool, so if I want to use myname+yourdomainname.here@myemail.com to register on your application I now first have to go to some third party(?*) to verify that myname+yourdomainname.here@myemail.com is valid**. And then, once I've gone through the hassle of that, I have to go back to your website to use the third party service to verify my email. Thanks I guess...
* It's not clear if this service would be provided by a third party (in which case, the problem has merely just been moved) or the email provider. It sounds like the former, but in case it's the latter, then this doesn't have as big an impact I guess.
** While _I_ as the owner of an email address can decisively know that all emails of the form `myname+<whatever>@myemail.com` will go to me, you as the owner of a website attempting to verify my email cannot know that. The standards specify that + is valid in an email user part, but they do not require plus addressing to work.
On second glance, the validator is dictated by the domain owner so this falls into the "in case it's the latter, then this doesn't have as big an impact I guess" category.
I'll put this on the backlog of things to implement if I'm incredibly bored and want to weaken the security of my infrastructure.
What is your first paragraph referring to? This whole standard is trying to eliminate the context switching that happens when a website wants to verify your email.
Perhaps you mistook the two bullet points outlining what currently happens as goals for the standard?
The new standard relies on some possibly third party (at least that seems somewhat implied here) which has a database of email addresses which it can attest exist and which is tied to some user authentication.
If the email address isn't yet known to this third party (or, you are not logged in), there _will_ be a context switch which in my example case will occur for every registration since I use a per-entity email address.
You are using a workaround for your privacy, and to prevent spam (not solid at either).
The protocol proposes to alleviate a UX burden. The back and forth.
it would need Google (and other email provider supporting the + trick) to allow you to certify your ownership of a wild card set of email addresses, i.e anything matching what's before the + and the protocol would work just the same. Absolutely reducing some friction without adding you the extra burden your trick currently involves.
> You are using a workaround for your privacy, and to prevent spam (not solid at either).
Neither, I do it so I can track which companies sold my email address on without my permission so I can put them on my shit list / report them to my government / shame them on the internet / whatever.
> The protocol proposes to alleviate a UX burden. The back and forth.
That seems to be _one_ aspect but that assumes you're logged into whatever email verification provider is in use.
> it would need Google (and other email provider supporting the + trick) to allow you to certify your ownership of a wild card set of email addresses, i.e anything matching what's before the + and the protocol would work just the same. Absolutely reducing some friction without adding you the extra burden your trick currently involves.
You assume that it's the email provider which has to implement this, which isn't so clear to me.
Only the email provider can attest that + addressing is in place, if a third party is involved, they can only explicitly match on full email addresses.
Like I said in my original comment, if it's the email provider that has to implement this, then the bulk of my issue is gone. Aside from the fact that now, as my own email provider, I have to implement this protocol somehow (easier said than done given my current infrastructure approach is aimed towards moving as many things into a non internet facing network).
I make a point telling companies that the point of +yourdomainname on email addresses is to avoid having their email and news letters go through the extra aggressive and strict spam filtering that occur without +appendix. They as a company benefit from better delivery and lower support costs, and I enjoy the accountability of who is using my email address. It is a nice win-win solution for both.
The ideas proposed in here aren't bad, but it does seem like you'll need to maintain two user flows as a site owner because:
1) Not all email providers will implement this, and
2) Users may not be signed into their email at the moment they signup
As a developer, I would find it easier to have one "verification code" flow for all users rather than fragmenting the process; it's much easier to document for your support staff. Again, not a bad proposal but perhaps not very useful in practice.
I thought Mozilla Persona aka BrowserID handled this email validation well with a fallback provider that used the same flow (and also implemented the OIDC work for obvious existing social providers like Gmail/Google Accounts). Though obviously not well enough because that fallback provider was seen as a large expense and shutdown without a replacement killing the Mozilla Persona effort.
But that does relate to I keep wanting an email claim for Passkeys. A user's browser/OS could verify an email address once and then associate it with a Passkey. Passkeys might be a good place for that (as Persona/BrowserID suggested). Obviously some browsers could lie about verifying the email address in the claim and there might still need to be more steps to it, but if you are already taking Passkeys it doesn't necessarily add an entirely different flow to accept a verified email claim from a Passkey (and/or decide you don't trust that Passkey's claim and trigger your regular verification code flow).
This is sorta interesting, but it fails on several levels. First, email verification as it exists currently is fairly simple, there are a lot of different ways to do it, and it works universally for all email addresses (as long as you don't expire codes too fast for servers that use greylisting).
This protocol solves a pretty contrived problem ("By sending the email verification code, the inbox provider knows the user is using that service!") by making email verification exponentially more complex, with only one correct flow, and will only work for domains that have opted in and configured this protocol.
Importantly, the protocol seems to rely on 1st party web cookies, which means you could no longer run a "pure" MTA that offers IMAP; you would need to have some web interface where your users can log in, even if there is no webmail functionality.
The bigger question is: why would the company who is hosting the email have any economic incentive to invest time and money in implementing and maintaining this protocol which currently has zero adoption? It's a chicken-and-egg with no upside.
> This protocol solves a pretty contrived problem ("By sending the email verification code, the inbox provider knows the user is using that service!")
I agree with a lot of what you are saying, but I think the main motivation is actually trying to reduce friction for the user to verify their email, which is good for the user, because it makes registration easier, and good for the company, because less users bounce at the email registration step.
But yeah, this is quite complicated, and there isn't a lot of motivation for email providers to implement it.
If my memory serves, this is the same wolf in sheep’s clothing that the attestation based Web Environment API was, from the same kinds of very interested parties. (Edit: I may be misremembering the name of that proposed API.)
It’s not about efficient, effective solutions. It’s about control. Something you have to look at with WICG and W3C is the source of proposals and drafts.
Ages ago we intentionally configured MTA's to prevent enumeration and validation of email addresses on purpose. This appears to be a convoluted way to unwind that change and in my opinion would be heavily abused by shady email marketing groups on day 1. With all due respect I would never implement this in a company and would fight it. I choose my battles carefully before presenting them to the board until groups such as NCC [1] have reviewed the implementation concepts and details. All it would take is one poorly coded application using this incorrectly to be abused. i.e. devil in the implementation details or otherwise known as the weakest link. Having NCC validate every single implementation is going to get very expensive.
* It's lowering the friction to the site identifying the user (separate from the identification done now by the more sophisticated third-party tracking by surveillance companies like Google and Meta), even for sites that previously couldn't justify the friction of trying to do that.
* It's putting surveillance companies even more in the loop, building on the recent "log in with [surveillance company]" buttons, while existing login methods are destroyed through dark pattern practices or simply removed.
* It can be a ready-made platform, waiting for the next authoritarian government directives that say, now that everyone is hooked up or can easily be hooked up, turn on oppressive feature X, Y, or Z for all targeted Web sites/people.
I don't know if this is the solution, but we desperately need one. It's to the point where "email bombing" is forcing service providers to add captchas to login and registration because those forms are being abused as mail-flooders.
The Verified Email Protocol got renamed to BrowserID, and Persona was its reference implementation.
This looks broadly similar to that, but with some newer primitives (SD-JWT) and a focus on autocomplete as an entrypoint to the flow. If I recall correctly, the entire JOSE suite (JWT, JWK, JWE, etc.) was still under active iteration while we were building Persona.
And hey, I applaud the effort. Persona got a lot of things right, and I still think we as an industry can do better than Passkeys.
Readit News
There is no advantage.
"User privacy is enhanced as the issuer does not learn which web application is making the request as the request is mediated by the browser." Every web application nowadays send you a welcome, onboarding, reminder after the verification. (No user privacy enhancement)
So we get a new process that solves nothing, but makes everything complicated. (And complicated helps the big and hurt the little in th long run)
Not verified but feels like a Google draft that closes the web.
The privacy advantage is also significant and real: no, not every web app sends an onboarding reminder, and the current state of web apps came to be without this functionality, so you can expect behaviour changes for those services that value the privacy, plus new services/authentication options to spring up that weren’t previously possible.
So instead, there’s no verification mail and it’s the next message, the one that you actually wanted, that gets blocked or sent to spam.
The “privacy advantage” that the issuer can’t learn the identity of the application that wants to send mail seems to me to be a significant functional liability. If it instead produced a token that said to the email service provider “see, the message was invited”, now that would be useful. (It would raise concerns of its own, but it would at least be useful.)
Depending which privacy, currently if I input a email into xyz noone can trust that this email belongs to me. In the future every email input can verify if the mail belongs to me, that scream abuse and more new things that try to fix the old.
The auth mechanism flows through the cookies, assuming the email provider offers a web browser and the user is signed in this could be seamless, although I'm not certain the cookie could be safely read cross site without risk or without being blocked by the browse
It wouldn't be simple to implement but not impossible, and it sounds like it would cost nothing to the user, it could work behind the scenes. Like as a user you are logged in to gmail or zoho mail in your browser. You sihn up for another service and you didn't get a confirmation email, just a welcome email. No fucks are given, it just works.
Mobile does this with autofilling auth codes sometimes with sms, so there's precedent.
Congrats OP the idea looks feasible. I'm usually the ackshually guy looking for the nitpick, but it looks nice. Will check the technicals later, cause the devil is in the details.
I think there is benefit to this because folding some identity primitives into the browser helps the user (in UX, in security). This was certainly true of password managers.
The other comments talk about how you will need to have a fallback. That is certainly true. But just because you have to have a fallback doesn't mean you can't improve things.
> Every web application nowadays send you a welcome, onboarding, reminder after the verification. (No user privacy enhancement)
But would they need to if they could trust info coming from the browser?
0: I wrote an intro to this here: https://www.infoq.com/articles/federated-credentials-managem...
I can't tell you how many times email verification context switches made me completely lose track of what I was doing.
There's literally no worse context switch than having to go into your inbox, wait for an email, then come back to the appropriate tab to complete registration or login.
There are probably dozens, maybe hundreds, of services I never finished registering for all on account of this problem.
I worked authc/authz and security for a large fintech and we constantly butted heads against the growth folks. They fought hard and eventually won the right to do account creation and IDV without email verification. You don't have to verify your email until you're already making transactions, and that does wonders for growth. We're still accountable for all the stringent KYC regulations, of course.
Sounds like a useful and very effective filter to not create accounts for things that do not really matters to you.
What's worse they are often unique AND delivered out of order AND have no timestamp or sequence number. So you get to guess which is the newest, using any other fails, and the ones that succeed often time out before they can be used.
Having an expiration date as short as 15 minutes seems insane and counter productive.
Then it's something maybe the customer isn't interested in the first place. Most of the time mail just works for me only issues are sometimes greylisting and it takes hours.
I can understand it from the company side, but not sure how well it really works when someone use a mail app on mobile and on desktop not even logged into the mail account.
* It's not clear if this service would be provided by a third party (in which case, the problem has merely just been moved) or the email provider. It sounds like the former, but in case it's the latter, then this doesn't have as big an impact I guess.
** While _I_ as the owner of an email address can decisively know that all emails of the form `myname+<whatever>@myemail.com` will go to me, you as the owner of a website attempting to verify my email cannot know that. The standards specify that + is valid in an email user part, but they do not require plus addressing to work.
I'll put this on the backlog of things to implement if I'm incredibly bored and want to weaken the security of my infrastructure.
Perhaps you mistook the two bullet points outlining what currently happens as goals for the standard?
If the email address isn't yet known to this third party (or, you are not logged in), there _will_ be a context switch which in my example case will occur for every registration since I use a per-entity email address.
The protocol proposes to alleviate a UX burden. The back and forth.
it would need Google (and other email provider supporting the + trick) to allow you to certify your ownership of a wild card set of email addresses, i.e anything matching what's before the + and the protocol would work just the same. Absolutely reducing some friction without adding you the extra burden your trick currently involves.
Neither, I do it so I can track which companies sold my email address on without my permission so I can put them on my shit list / report them to my government / shame them on the internet / whatever.
> The protocol proposes to alleviate a UX burden. The back and forth.
That seems to be _one_ aspect but that assumes you're logged into whatever email verification provider is in use.
> it would need Google (and other email provider supporting the + trick) to allow you to certify your ownership of a wild card set of email addresses, i.e anything matching what's before the + and the protocol would work just the same. Absolutely reducing some friction without adding you the extra burden your trick currently involves.
You assume that it's the email provider which has to implement this, which isn't so clear to me.
Only the email provider can attest that + addressing is in place, if a third party is involved, they can only explicitly match on full email addresses.
Like I said in my original comment, if it's the email provider that has to implement this, then the bulk of my issue is gone. Aside from the fact that now, as my own email provider, I have to implement this protocol somehow (easier said than done given my current infrastructure approach is aimed towards moving as many things into a non internet facing network).
1) Not all email providers will implement this, and
2) Users may not be signed into their email at the moment they signup
As a developer, I would find it easier to have one "verification code" flow for all users rather than fragmenting the process; it's much easier to document for your support staff. Again, not a bad proposal but perhaps not very useful in practice.
But that does relate to I keep wanting an email claim for Passkeys. A user's browser/OS could verify an email address once and then associate it with a Passkey. Passkeys might be a good place for that (as Persona/BrowserID suggested). Obviously some browsers could lie about verifying the email address in the claim and there might still need to be more steps to it, but if you are already taking Passkeys it doesn't necessarily add an entirely different flow to accept a verified email claim from a Passkey (and/or decide you don't trust that Passkey's claim and trigger your regular verification code flow).
This protocol solves a pretty contrived problem ("By sending the email verification code, the inbox provider knows the user is using that service!") by making email verification exponentially more complex, with only one correct flow, and will only work for domains that have opted in and configured this protocol.
Importantly, the protocol seems to rely on 1st party web cookies, which means you could no longer run a "pure" MTA that offers IMAP; you would need to have some web interface where your users can log in, even if there is no webmail functionality.
The bigger question is: why would the company who is hosting the email have any economic incentive to invest time and money in implementing and maintaining this protocol which currently has zero adoption? It's a chicken-and-egg with no upside.
I agree with a lot of what you are saying, but I think the main motivation is actually trying to reduce friction for the user to verify their email, which is good for the user, because it makes registration easier, and good for the company, because less users bounce at the email registration step.
But yeah, this is quite complicated, and there isn't a lot of motivation for email providers to implement it.
It’s not about efficient, effective solutions. It’s about control. Something you have to look at with WICG and W3C is the source of proposals and drafts.
[1] - https://www.nccgroup.com/
* It's putting surveillance companies even more in the loop, building on the recent "log in with [surveillance company]" buttons, while existing login methods are destroyed through dark pattern practices or simply removed.
* It can be a ready-made platform, waiting for the next authoritarian government directives that say, now that everyone is hooked up or can easily be hooked up, turn on oppressive feature X, Y, or Z for all targeted Web sites/people.
Or maybe creating some sort of reduced OAuth "Anonymous-Site-Verifying-Your-Email-Exists" flow?
This looks broadly similar to that, but with some newer primitives (SD-JWT) and a focus on autocomplete as an entrypoint to the flow. If I recall correctly, the entire JOSE suite (JWT, JWK, JWE, etc.) was still under active iteration while we were building Persona.
And hey, I applaud the effort. Persona got a lot of things right, and I still think we as an industry can do better than Passkeys.
For historic interest, the Persona After Action Report has a few key insights from when we spun down the project: https://wiki.mozilla.org/Identity/Persona_AAR