Email address is the backbone of web identity. Nearly every registration system uses it. If you're having trouble with it, maybe, just maybe, it's on your end?
Isn't that his point? Email address is a backbone of web identity simply because we don't have anything better. Maybe we should finally get around to figuring out something better?
It's a hard problem because anything real world like a identifying number is flawed for anonymity. There needs to be a unique identifier for a web entity.
It's always annoyed me that solutions like persona etc are approaching this by simply replacing email, when shouldn't they be abstracting my online identity? I hold several "personas" throughout various sites, email addresses, and applications. However, I don't want a product that simply merges them, I want a product that is more of a "meta-persona", that lets me easily track, manage, and expand them.
Sounds like it already does kind of do that. From StavrosK above:
"It maps multiple emails to the same identity, in that you use the same password to log in with all of them. The end site gets the email you log in to the site with (I can log in to Persona with email A but let all sites know email B every time."
So based on that, if you want to expose three different identities to 3 different sites, you can set up Persona to do that automatically, without having to remember the separate emails and passwords you used for each one. I guess the only problem would be if you needed multiple separate logins to the same site, but unless it's your own site, presumably that should be rare.
If you honestly believe that, I would claim that you either have no customers or that your customer reside in a very limited sub-section of people.
People do not believe that their email and identity is in any way linked. You and I might believe that, but don't count on your customers sharing your beliefs.
People do not believe that their email and identity is in any way linked
I think that you might have to explain that a bit.
I think that others try to argue that people use email at least as temporary identity, in the sense that at time t, they identify themselves with at least one of their email addresses. In practice this is enough for many web sites to use the email address as login. Perhaps you are talking about some longer sort of permanence, or uniqueness?
You'll note that both Facebook and Google provide ways to hook up multiple emails to the same account, and multiple recovery accounts. Why do this if nobody uses it?
(Damn, I had wanted to post this yesterday, but then I forgot to quite finish it and it ended up sitting in a tab, unsent.)
Yes, it does: it means that you cannot count on it as a canonical form of identity for any long period of time, as people expect to be able to change it; in fact, many people go through "the great purge" every couple years, deleting their e-mail address and selecting a new one, in order to purposely reboot the people who have their address: to them, it is a way to purposely restart their identity.
You thereby have to think of e-mail addresses as more akin to your home address. If you ask me to log in with my home address, yes, that works: it doesn't work for everyone, as not everyone in the world has a home address, but the same thing can be said for e-mail addresses. Sometimes people will share a home address, but surprise surprise: sometimes people share e-mail addresses as well.
When I am asked to log in to that form with my home address, and it works, you now might claim I've accepted it as part of my identity. Well, I haven't: I'm going to change my home address at some point, and someone else is then going to start living here, which is exactly what happens to many people who use ISP or University -provided e-mail. Hell, it also happens to people with vanity e-mail addresses if they let their domain registration expire (as happened to one of my friends, who otherwise was using the same e-mail address for a very very long period of time).
Yes: it works temporarily, but it isn't my identity, and eventually it will fail, and unless you are really really weird (like, you are the kind of technology person who would probably consider it digital suicide to allow their domain name to expire, and has had the same e-mail address now for well over a decade), it will fail sooner than later, and may even fail on purpose when users invalidate it.
How are usernames any different? You're saying identity is transient. This is true of every sort of identity except perhaps your soul. Regardless email addresses are more stable and unique than usernames. In fact they are just a username plus a domain that happens to have the ability to be routed messages in a standard way.
Of course you should be able to change the email on an account. Usernames can also be changed and are far from canonical. Your point about emails is not invalid, it's just not addressed by usernames, and usernames are actually inferior in that respect.
So, I did not use the word "username" in that comment you are replying to. I thereby will assume you mean "stable and opaque identifier assigned and chosen by the authentication provider", which is what I would argue for (as opposed to attempting to rely on an e-mail address as a stable identifier).
I did use the word "username" in a response to someone else, but that was a very different (and much more abrasive :() argument path.
> Regardless email addresses are more stable and unique than usernames.
E-mail addresses are not more stable that usernames, because e-mail addresses have an external purpose: they receive e-mail. Many people actively go and change their email addresses periodically in order to stop receiving e-mail from people they previously were receiving e-mails from.
A "username" (your word here), especially (and maybe specifically) the "good" kind that is never shown to another user and is just used for account canonicalization, which conceptually could be a random number assigned by the system, is something that the user has no reason to change unless they actually want to never log in to the account again.
E-mail addresses also are tied to the DNS system, which other forms of identification need not be: you can instead tie them to a private key kept by the authentication provider. That would make "me" be A@B where A is a number and B is a key pair. In this way, even if the way you continue to contact my authentication provider lapses (such as attempting to use a hostname) only if the new owner has the same key are they able to claim the identities there (unlike e-mail) and as the user specifier is opaque (not a string that I'm going to care about and want to make pretty, or something I'd ever want to change unless I actively want to lose access to my account) it will not run afoul of the problem with e-mail where people feel compelled to reuse them after some time of abandonment.
The problem then with Persona is that it is the websites consuming it who have the onerous job of dealing with every possible e-mail address change a user may request. With more classic attempts at federated login, users may end up with multiple authentication providers that can become somewhat confusing, but they demand to change authentication providers and especially lose access entirely to authentication providers sufficiently rarely that it is a non-issue to handle the support load of helping users remap their accounts (something that is difficult to automate, of course, in the case where the user already lost access to their old identity). With Persona, this is now something that the user has to do when they change e-mail addresses at every site they may ever have logged in to using their account, ever. :(
Say what? My email addresses are linked to my identity because they are my email addresses. Most of them even have my name on them. Sure, I have several of them, and one of them disappeared when I graduated from college, so the mapping isn't perfect -- but they are nevertheless mine.
The main exceptions to this are:
1. People who share an email address for convenience, like my grandparents.
2. Group-facade email addresses, like support@whatever.com, which may be routed to several people.
3. Email addresses that don't belong to anyone, like "noreply@whatever.com", or "autogenerated-4b243efa37e5b013a1d90b694c3bcaa3@hell.com"
Nope, like all other large providers (Facebook, Google, etc.) Amazon allows users to use e-mail addresses to log in, but they are not canonical stores of identity. In fact, Amazon is the most humorous example you could have pulled, because Amazon actually allows multiple accounts with the same e-mail address, and uses the password to differentiate (which is pretty much what jointb86 said, but I doubt if you knew this is the case that his comment was clear).
"Why Does Amazon.com Allow Multiple Accounts With the Same Email Address?"
"Note: If you change the e-mail address on your account to an e-mail address that is already associated with another Amazon account, we will ask that you first verify your e-mail address."
I have had the same email address for 18 years, but I'm a dying breed. Most people I know change email address pretty regularly - as in more than once a year.
Seriously, most people you know change their email address more than once per year? Honestly, MOST of the people you know do that? I highly doubt that.
- Many people never abandon their primary identity email.
- But many other people often abandon their email identity.
- You don't want to use a social network as the gatekeeper to *your* site.
- You don't want to have human support for password resets.
Sekrit questions/answers along the lines of your first car's maiden name? Those can be forgotten just as easily as usernames for login.
Sure, but the Facebook login is just "any e-mail address"; it doesn't really mean something for your account. You can add more e-mail addresses to your account, and all of them are allowed to be used to log in; the same, incidentally, is true of Google accounts.
Not once a year, but here in new zealand for most people the email address is provided by the ISP.
When they change their ISP, they typically get a new email address.
Most people I know have changed their ISP a couple of times.
Surely most people in that kind of situation would move to gmail/hotmail/yahoo or similar, though? I'm sure my ISP offers me a free email, but I can't say I've ever used it (or even asked after it...)
Users using cloud e-mail addresses have addresses that are slightly more stable, but eventually they decode that @hotmail.com looks better than @aol.com, that @yahoo.com looks much better than @hotmail.com, and eventually that @gmail.com looks better than @yahoo.com. When they do this, they change their e-mail addresses, and often just derelict the old one so they don't have to think about it anymore.
Also, to the extent to which this becomes important, it only becomes important too late, as in after you've already used an address or two. I have had the same address now since 1997 when I registered saurik.com, but I did that because I had in the two years prior "learned the hard lesson" that my ISP-provided e-mail address was doomed to be something I'd end up having to move off of, potentially fairly often.
> Email address is the backbone of web identity. Nearly every registration system uses it.
"Everyone else is doing is doing it that way" isn't a reason to do it that way, especially for a product, like Persona, that is supposedly about fixing what is wrong in what everyone else is doing.
Except that:
1. Email actually works quite well as an individual identifier. At any given time, an email account is probably linked to only one person.
2. No alternative exists, in real world use, that really looks better
> Except that: 1. Email actually works quite well as an individual identifier.
No, it doesn't.
> At any given time, an email account is probably linked to only one person.
Lots of people have shared email accounts. And even without that the "at any one time" is one reason why it doesn't work as an individual identifier, its not stable. (Since cell phones and number portability have become ubiquitous, phone numbers are probably better than email addresses at this, but share the same sorts of problems.)
> 2. No alternative exists, in real world use, that really looks better
Sure alternatives exist. While its often important to have a contact email address connected to an identity, there is no reason to have an externally-meaningful value that is inextricably tied to the online identity, particularly if that value doesn't have an intrinsic, unique, and stable link to a particular person.
You're justifying choosing a bad natural key with the argument that its the least-bad natural key, when not only is the proposition that the proposed key is the least-bad natural key somewhat dubious, more importantly, the use case calls for a key, but there is no reason for it to be a natural key.
«You're justifying choosing a bad natural key with the argument that its the least-bad natural key, when not only is the proposition that the proposed key is the least-bad natural key somewhat dubious, more importantly, the use case calls for a key, but there is no reason for it to be a natural key.»
Of course it has to be a natural key! Are you expecting that users will learn your theoretically perfect surrogate key? Do you understand that you will be competing for space in people's brain? For what reason? Because shared email accounts break the many to one relationship on mail <-> person?
> Of course it has to be a natural key! Are you expecting that users will learn your theoretically perfect surrogate key?
I'm not sure why users should ever need to know the key.
> Because shared email accounts break the many to one relationship on mail <-> person?
No, I probably wouldn't even both with addressing the problem of shared email accounts (which would require some discriminator), but with one person having multiple email accounts and email accounts changing over time. These things indicate that accounts should have transitory, one-to-many relationships to email addresses, rather than email addresses serving as a key.
«These things indicate that accounts should have transitory, one-to-many relationships to email addresses, rather than email addresses serving as a key.»
The only requirement for the email to be a key to the account is the association of one email to one person. A person can have more than one email, at different times or at the same time. The only thing that can't happen is one email mapping to two individuals. Full circle: the majority of emails do map to one individual and the cases where they do not map, are not enough to preclude the use of emails as keys.
Perhaps the confusion occurs because you think I'm defending email as a primary key for the account. I'm not. It's one key, not the primary key.
