If you honestly believe that, I would claim that you either have no customers or that your customer reside in a very limited sub-section of people.
People do not believe that their email and identity is in any way linked. You and I might believe that, but don't count on your customers sharing your beliefs.
People do not believe that their email and identity is in any way linked
I think that you might have to explain that a bit.
I think that others try to argue that people use email at least as temporary identity, in the sense that at time t, they identify themselves with at least one of their email addresses. In practice this is enough for many web sites to use the email address as login. Perhaps you are talking about some longer sort of permanence, or uniqueness?
You'll note that both Facebook and Google provide ways to hook up multiple emails to the same account, and multiple recovery accounts. Why do this if nobody uses it?
(Damn, I had wanted to post this yesterday, but then I forgot to quite finish it and it ended up sitting in a tab, unsent.)
Yes, it does: it means that you cannot count on it as a canonical form of identity for any long period of time, as people expect to be able to change it; in fact, many people go through "the great purge" every couple years, deleting their e-mail address and selecting a new one, in order to purposely reboot the people who have their address: to them, it is a way to purposely restart their identity.
You thereby have to think of e-mail addresses as more akin to your home address. If you ask me to log in with my home address, yes, that works: it doesn't work for everyone, as not everyone in the world has a home address, but the same thing can be said for e-mail addresses. Sometimes people will share a home address, but surprise surprise: sometimes people share e-mail addresses as well.
When I am asked to log in to that form with my home address, and it works, you now might claim I've accepted it as part of my identity. Well, I haven't: I'm going to change my home address at some point, and someone else is then going to start living here, which is exactly what happens to many people who use ISP or University -provided e-mail. Hell, it also happens to people with vanity e-mail addresses if they let their domain registration expire (as happened to one of my friends, who otherwise was using the same e-mail address for a very very long period of time).
Yes: it works temporarily, but it isn't my identity, and eventually it will fail, and unless you are really really weird (like, you are the kind of technology person who would probably consider it digital suicide to allow their domain name to expire, and has had the same e-mail address now for well over a decade), it will fail sooner than later, and may even fail on purpose when users invalidate it.
How are usernames any different? You're saying identity is transient. This is true of every sort of identity except perhaps your soul. Regardless email addresses are more stable and unique than usernames. In fact they are just a username plus a domain that happens to have the ability to be routed messages in a standard way.
Of course you should be able to change the email on an account. Usernames can also be changed and are far from canonical. Your point about emails is not invalid, it's just not addressed by usernames, and usernames are actually inferior in that respect.
So, I did not use the word "username" in that comment you are replying to. I thereby will assume you mean "stable and opaque identifier assigned and chosen by the authentication provider", which is what I would argue for (as opposed to attempting to rely on an e-mail address as a stable identifier).
I did use the word "username" in a response to someone else, but that was a very different (and much more abrasive :() argument path.
> Regardless email addresses are more stable and unique than usernames.
E-mail addresses are not more stable that usernames, because e-mail addresses have an external purpose: they receive e-mail. Many people actively go and change their email addresses periodically in order to stop receiving e-mail from people they previously were receiving e-mails from.
A "username" (your word here), especially (and maybe specifically) the "good" kind that is never shown to another user and is just used for account canonicalization, which conceptually could be a random number assigned by the system, is something that the user has no reason to change unless they actually want to never log in to the account again.
E-mail addresses also are tied to the DNS system, which other forms of identification need not be: you can instead tie them to a private key kept by the authentication provider. That would make "me" be A@B where A is a number and B is a key pair. In this way, even if the way you continue to contact my authentication provider lapses (such as attempting to use a hostname) only if the new owner has the same key are they able to claim the identities there (unlike e-mail) and as the user specifier is opaque (not a string that I'm going to care about and want to make pretty, or something I'd ever want to change unless I actively want to lose access to my account) it will not run afoul of the problem with e-mail where people feel compelled to reuse them after some time of abandonment.
The problem then with Persona is that it is the websites consuming it who have the onerous job of dealing with every possible e-mail address change a user may request. With more classic attempts at federated login, users may end up with multiple authentication providers that can become somewhat confusing, but they demand to change authentication providers and especially lose access entirely to authentication providers sufficiently rarely that it is a non-issue to handle the support load of helping users remap their accounts (something that is difficult to automate, of course, in the case where the user already lost access to their old identity). With Persona, this is now something that the user has to do when they change e-mail addresses at every site they may ever have logged in to using their account, ever. :(
Say what? My email addresses are linked to my identity because they are my email addresses. Most of them even have my name on them. Sure, I have several of them, and one of them disappeared when I graduated from college, so the mapping isn't perfect -- but they are nevertheless mine.
The main exceptions to this are:
1. People who share an email address for convenience, like my grandparents.
2. Group-facade email addresses, like support@whatever.com, which may be routed to several people.
3. Email addresses that don't belong to anyone, like "noreply@whatever.com", or "autogenerated-4b243efa37e5b013a1d90b694c3bcaa3@hell.com"
Nope, like all other large providers (Facebook, Google, etc.) Amazon allows users to use e-mail addresses to log in, but they are not canonical stores of identity. In fact, Amazon is the most humorous example you could have pulled, because Amazon actually allows multiple accounts with the same e-mail address, and uses the password to differentiate (which is pretty much what jointb86 said, but I doubt if you knew this is the case that his comment was clear).
"Why Does Amazon.com Allow Multiple Accounts With the Same Email Address?"
"Note: If you change the e-mail address on your account to an e-mail address that is already associated with another Amazon account, we will ask that you first verify your e-mail address."
People do not believe that their email and identity is in any way linked. You and I might believe that, but don't count on your customers sharing your beliefs.