5

Being able to confirm your email without waiting for a verification email would be a major improvement to many registration processes. In theory this could be done using a technique based on OAuth, OpenID or similar. Of course, both the site and the email provider would need to support this, in a compatible way.

This leads me to wonder: Have there been any proposals to do this?

Edit OAuth has similar functionality is that email can be auto-filled. However, this does not verify the email. If OAuth provider on foo.com says a user's email is user@bar.com then we have to either trust the provider, or reverify. However, the OAuth provider on foo.com can confirm an email address like user@foo.com.

paj28
  • 32,736
  • 8
  • 92
  • 130
  • I don't know about "proposals", though. When I sign up for OAuth, the service grabs my email automatically. Do you mean verifying emails *without* signing up for OAuth authentication? So, I'd simply say "OAuth". – schroeder Jan 29 '18 at 20:43
  • @schroeder - It's close, but usually that doesn't verify your email. The site provider needs to trust the OAuth provider, which may or may not suit their needs. (I think OpenID Connect even has an "email verified" field, but that's still not quite the same) – paj28 Jan 29 '18 at 20:46
  • 4
    many do already: google accounts, passport/live/outlook, etc are providers – dandavis Jan 29 '18 at 20:47
  • @dandavis - Thanks. If you have time to expand that to an answer I would appreciate it. One consideration: if a user registers on my site using a Google ID - how do I know if their email is one that Google can attest for? – paj28 Jan 29 '18 at 20:51
  • 1
    @paj28 They would be redirected to the Google consent screen saying "this app wants access to your Google account" along with the details what information the app wants to read (email address). Once they confirm, your app knows the account is legitimate. – Arminius Jan 29 '18 at 20:55
  • @Arminius - Depends on your definition of legitimate. While I would trust Google to attest, you're not going to trust every ID provider, especially not with dynamic client registration - where anyone can be an ID provider. – paj28 Jan 29 '18 at 20:59
  • 3
    i'm not sure i understand the question; google will give you an email that works; how often it's used is unknowable. You can allow only certain providers, whatever you feel is trustworthy. – dandavis Jan 30 '18 at 08:08
  • @dandavis - If an OAuth endpoint on foo.com says a user's email is user@foo.com then that is inherently trustworthy. If foo.com says it's user@bar.com we now have to trust foo.com to honestly report that. – paj28 Jan 30 '18 at 08:16
  • 1
    As other comments above - you need to define "verified". Even clicking a link in email not always enough for verification. One can use services like https://temp-mail.org/en/. Any oAuth provider means you are delegate trust to someone else. It's your decision who you want to trust. – Yehuda Mar 25 '18 at 13:10

1 Answers1

2

BrowserID is a mechanism that allows websites to confirm the e-mail address of a user without each website needing to send an e-mail. Mozilla Persona added the ability to do so in a less centralized way that enhances privacy somewhat however it did still require central servers that Mozilla no longer provides.

Alternatively an X509 client-cert that includes the e-mail address would work although it raises the bar somewhat as regards ease of use.

William Hay
  • 592
  • 2
  • 10