Jason Kolb thinks e-mail addresses are all we need for single-sign-on


He writes:

Why can’t sign-on work like this?

  1. The user goes to the site’s URL (www.buycrap.com)
  2. Before they can buy something, the user has to enter their email username and password (Jason@jasonkolb.com and test123)
  3. www.buystuff.com looks up the email server for jasonkolb.com from the domain registrar (using the domain’s MX record). We now have a server that can authoritatively identify the user.
  4. www.buystuff.com sends the email server the email address and password that it was given. If it’s able to authenticate, the user can be positively identified as Jason@jasonkolb.com without the need for any further logins and passwords (and without even needing to STORE a password, of any kind!).

Wow. In this proposal, it only takes one single corrupt employee, or a single security breach at any one of the hundreds of sites he might want to authenticate with over a few years, to allow that single employee (and the crooks behind him — there are markets for stolen identities!) to impersonate him all across the web.

His workaround — asking for browser extensions that intercept username (here: e-mail address) and password, and hash it, and then forward in hashed form to the authenticating e-mail host — won’t fly either: how many sites today use HTTP Auth and the built-in browser support compared to their own HTML login form? I can’t think of a single site with mass appeal that does that … whatever their reasons, those reasons will apply the same for his proposal. And then there is the major issue that existing e-mail servers would all have to be upgraded.

Also, I’d wonder how many people would be happy to give our their e-mail address to any site at which they authenticate. I certainly wouldn’t …

While using identifiers that we have already — e-mail addresses — has a certain appeal over having to introduce new identifiers, like Yadis URLs (at least for those people who don’t have any home page yet), so far I haven’t seen a proposal for a viable internet-scale authentication system built from e-mail addresses.