« Dawkins’ version of the deity does not exist
My First Blog »

Why an email address doesn’t work as an OpenID

From Design Build Test Repeat:

So my call to web developers, explain why an email based authentication would not work

  1. User goes to www.iwanttousethiswebsite.com
  2. User types in email address myname@yahoo.com
  3. www.iwanttousethiswebsite.com send an email to myname@yahoo.com
  4. The mail will contain a url like http://www.iwanttousethiswebsite.com/login/1234-2345- qqwsedtod-swqjduehs-etc-etc
  5. At the same time the site stores the relationship between this unique id and the email address
  6. User goes to email site, and opens up the email from www.iwanttousethiswebsite.com.
  7. They click on the url and are take to the website where the back end code validates the id is genuine and logs the user in.
  8. At that point the user has the opportunity to modify the data relating to them, like display name, interests etc.
  9. The next time they log in, the same thing happens

Now, I think that would work, and I’m going to try it with a new website I am building in the area of citizen empowerment. Should be interesting.

Diarmuid

The blog may be called “Design Build Test Repeat”, but Diarmuid appears to have only done the first step… :) Using email would NOT work. It’s not just that spam is a drawback (it is), but that it’s totally unworkable due to other problems.

It’s vulnerable to attack since email is typically neither encrypted in transit nor authenticated, so it’s possible for an attacker to see the plaintext of an email intended for another person just by running a sniffer and then access the login URL, logging in in their place. Ability to read unencrypted email traffic is no indicator that you are the legitimate owner of the account in question. Even trying to mitigate this risk with PKI would complicate matters since you need to verify your public key to the site you want to log into anyway. This is equivalent to the very problem we’re trying to solve.

Ultimately though your solution is actually too complex, since what you’re proposing is out-of-band authentication, you authenticate for web access with email access. What if you’re browsing the web somewhere where you don’t have access to your email? To log in to a website, you should only need access to the web. Many email providers offer webmail, but many don’t. Email delivery often has high latency as well, so you could wait 5-10 minutes to log into a website.

This also assumes that the website you’re trying to access has a hosting provider that lets them send email, probably not a good assumption. With OpenID you don’t need to do anything but be able to run scripts on your webhost to authenticate your users, certainly something which is already a prerequisite to offering the service itself that users are authenticating to.

This entry was posted on Friday, March 9th, 2007 at 2:45 pm and is filed under Computers. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Leave a Reply