Email – Identity Management Gone Awry

Yahoo has started a program where users may request to have existing account and email names transferred to them. If a requested account has not been in use for an extended period of time, Yahoo will transfer this account to the requestor and they can use it going forward. From Yahoo’s perspective this is completely understandable: the existing namespace under the has been used for more than a decade, and it is practically impossible to get a halfway decent email address since they have been used up a long time ago.

From a user’s perspective this is not so great: if you have used your email in the past for sensitive services (such as banking, shopping, or access to your health information) loosing access to the account that controls all could mean a world of hassle, potential loss of sensitive information, and ultimately personal harm. This is rooted in the fact that service providers have encouraged (and in many cases forced) users to use their email address as identifier (i.e. username) when signing up to a new service.

The argument that re-purposing the username as global identifier was a bad choice definitively has merits: ultimately, as a service provider you outsource at least components of your identification process to an external entity over which you (the service provider) have no control over. ‘Bad practice’ doesn’t even start to describe this. On the other hand, we have seen many other identity systems epicly fail: either there was no acceptance in the user base, with the service providers, or – most commonly – in both groups. The reasons are as diverse as the proposed identity management systems: ease-of-use, technical complexity, cost, and other factors have all contributed to the situation.

So where are we and how do we get out of this mess? In today’s world, the ability to proof ownership of an email address is a core pillar of identity proofing on the internet. The vast majority of providers allow password resets through email, often without any further proofing. Unilaterally changing the expectation of continued ownership by Yahoo is bound to cause a lot of problems for Yahoo, the service providers, and ultimately the end-users. While Yahoo has (inadvertently?) pointed the finger to the obvious gaping hole in our identification regime, their move will make me (as a blog owner, service provider, or web site operator) to have doubts about accepting their users in the future. Minimally, I will have to either (i) make significant investments into e.g. knowledge-based secondary authentication with limited expectation of success, or (ii) take the risk of allowing access to sensitive or personal information to people who should not have it. Either way, I – along with my users – will be paying for Yahoo’s move to refresh their pool of available usernames. Great.

Time will tell if this approach will be accepted by the internet eco-system and the courts, but I have serious reservations. The “Require-Recipient-Valid-Since” approach may mitigate some of the impact of this debacle, but broad adoption (never mind full standardization) may take years, leaving a gaping hole in the email security for the future. What annoys me most is the unilateral approach in changing the terms of use after training users for years to rely on email security for identification. That is simply put a colossal breach in trust into the integrity of the email provider. Maybe the comparison is slightly hyperbolic, but in a way Yahoo and Mailinator are now in the same bucket.

Leave a Reply

Your email address will not be published. Required fields are marked *