That is absolutely true, or at least I think it is. The single best thing we did it to allow our customer to do a purchase without being logged in.
If the email address entered on our checkout page is already in our database, we link that purchase to the relevant account. If the customer want to login, they can, if not, that's cool to. We get a lot of wrong matches which needs to be fixed, but that seems to be a price we can and will pay.
We have had customer adding orders to other people accounts, because their email address was entered wrong ( even though we require the customer to enter the email twice. ) and we have customers ending up with multiple account that we need to merge. Despite all the problems, customers love not having to log in before doing a purchase. It's hit and miss in a few cases, but we try to do what our customers expect, matching their purchase to their account, regardless of login credentials. That's what consumers want.
We did the same thing with one of the sites at work... You can make a purchase without login, and the related emails to a given order includes a token so you can see that order's status without login.. If there isn't an account at that email, we generate one with a few space-separated random words, and email the user... password recovery is email only and pretty easy. All in all, the user experience has been pretty well received.
Now that I've seen this in practice, it would be my preferred way moving forward. It didn't/doesn't take that much effort to do things this way. The bigger issue is in the occasional phone order our demographic is mostly men 50+, so some genuinely don't have email.. we use an internal address in that case...
My favourite online tea store does this too, and it's one reason I ended up eventually creating an account with them. anybody who dies this automatically gets a credibility boost in my eyes.
I learned today that StackOverflow (and company) have responsive support persons who respond via e-mail, that will help you recover and merge your cookie-based StackExchange accounts if you've lost access and there is sufficient evidence that they belong to you. (I thought I had registered the account under the myid.net provider (who is now defunct?) but no.)
That has to cost a lot of money. With the dozens of ways you can authenticate with StackExchange, I don't know why I was surprised to learn I had previously created an account without actually creating an account, but it was so.
Also, anyone who reads Korean can tell me if this says "sorry we're closed"?
What is infuriating about the stackoverflow sites is that they treat each site separately so you end up with multiple logins across the "network" that you really don't care about. Then they do that annoying thing where they display the page, then detect you are "logged in", and then tell you to refresh.
That site is very good at Q&A, but UX wise it's terrible. It's as if they've only ever tested it with their own devs, and never done any real hallway or external usability testing.
I've tried to participate in their "meta" site, but the pedantic and condescending tone there is even worse than it is on the main sites.
Furthermore, Atwood seems to take the success of the platform as a ringing endorsement of all its characteristics, as evidenced by the recent commentary on user experience and the development of his forum.
Bob Martin's recent "And I'm very sorry that when you finally brute-force your way to some modicum of success that you will credit your bad behavior, and recommend it to others" has sprung unbidden into my mind once again ...
This seems likely. Still, with a bit of planning they could have gotten around this. Everything dealing with identity could have been served from a single domain. There probably would still have been issues, but they would have been resolvable.
Yes! I hate it when I have to register for a service, wait for the email activation link only to find out that I that the service isn't for me. Then I have to delete the account and wait for emails to come to unsubscribe to those.
Even worse is that many times you can't delete your account, or if you can, it's just a soft-delete -- and now that site has your email address (at a minimum), and sometimes may have much more information about you.
Call me paranoid, but I think "deleting" your account has the potential to actually do more harm than good, since in doing so you are voiding any agreements or terms that you had previously agreed to, including those that promise not to sell or otherwise abuse your info.
I use mailinator for pretty much every site that wants an email address. Pick an obscure enough address and your risks are minimized to practically nothing but you get all the convenience of "deleting" your account simply by never thinking about it again.
The simple fact that one would have to jump through so many hoops just to try out a new service means that the system is broken.
It's like making you buy a car without allowing you to take it for a test drive. At least the reasons for photocopying your license before taking a test drive are understandable.
I have a domain with a catch-all address, and so I just makeup addresses to use on the spot, but I know people like me and you are in the vast minority; none of my non-tech friends and family would ever do this. Also, sites like mailinator are often banned from sign-ups.
I actually have a domain like that too. I just like mailinator because I know I'm never going to want their email so I don't even have to put in a rule to block out.
On a related note, some spammers have really done a number on me. First they impersonated thousands of addresses at my domain in the form of xxxxxx@mydomain.com where x is a hex digit. This is despite me having DomainKeys and SPF enabled. So not only did I get a lot of bounced spam to my catch-all, the spam that went through ended up in places that other spammers picked it up as a valid address so now I am getting spam sent to those randomized addresses.
At first I figured I could put together a rule to block all hexadecimal address of six digits but it turns out that at least another round of spammers started using the full alphabet and variable lengths.
I've come to the conclusion that I'm going to need to include a cookie in the addresses I use - so instead of dropdox@mydomain.com and amazon@mydomain.com it will be something like DOQ.dropdox@mydomain.com and DOQ.amazon@mydomain.com - addresses without the cookie get binned. But that's not going to help with all the addresses I've used over the last 15 years, and haven't kept track of.
I know this will not work everywhere (not everyone implements correctly the RFC's regarding e-mail) but if you have an address, you can make up addresses on the spot by using the + notation
eg messages to myrealemail+mytag@gmail.com will always be received by myrealemail@gmail.com
I too have a domain with catch-all, and I do that rather than using the + notation, but it's something you can teach your friends who would never do that.
Yeah, I'm counting on e-mailers to send mail to the address I give them. No, I don't expect folks to send me spam unsolicited, or sell my address when I give it to them. I don't consider my name or e-mail address to be secret, and I'm also counting on anyone who sells my contact info to be doing it in bulk, not paying enough attention to strip out +tags, and by passing the address to spammers unaltered (or losing control of their database), give themselves away when I start receiving spam at that address.
Honestly I don't use the feature very often and I had not considered it to be a security measure before. Maybe novelty is the right word.
If I give myaddress+dropbox@mydomain.com to Dropbox, and they mail me from different addresses, I would be able to catch them all and put the "Dropbox" tag on them all, rather than having to make a filter for *@dropbox.com or some other extraordinary measure for classifying their mail.
It's part of the RFC, and supported by every mailer that I know. What part of this technique seems like obfuscation?
I guess that's the disconnect, because I do consider my email address secret -- since it is 1/2 of the information required to access my Google account, I take great measures to make sure that outside parties never see it (as best I can). If I can prevent any site from ever knowing that address, then my chances of being targeted (phishing, brute-force, whatever) are drastically reduced.
So, if you only use +tag for your own personal organizational purposes, then have at it! But if your goal is to conceal your account ID with Google in the interest of personal security, then you really need a better angle.
One could use something like a copy-and-pastable session/state string/encoding (that a user should keep secret, if secrecy is important to them) at the bottom of every important page that a person might want to return to (rather than in the URL or the invisible, and therefore unmanageable, cookie). If they care enough to save it, they have an account (ex, they don't have to fill in their shipping info for the 9th time...). If they don't care enough to save it, it can be automatically deleted after a period of inactivity. (This was a common solution to "saving state" in older video games without persistent memory. It wasn't "too complicated" either. People used it, if they wanted to get back to that difficult boss level.)
A login is a continuation, or a state/session key. So is a link/URI. There's no need for a mandatory "account" just to be able to pick up where you left off, even if it's to continue checking your email. (Though one could opt-in to further "protect" pages with passwords, biometrics, non-invasive mucus swab samples, and so on...)
Just put auth info in a cookie, and let the user associate it with an e-mail address later, once he actually knows he will keep using the service.
I believe "I can't be arsed to register" is one of the top reasons websites lose prospective users.