return to table of content

Email addresses are not good 'permanent' identifiers for accounts

buro9
243 replies
2d3h

There is no good identity.

Emails change, people lose access to old emails.

People dislike usernames, they want to be able to choose non-unique ones rather than end up with user53267 or something inane.

People lose devices, just storing a secret UUID in their cookie, or using a passkey from their device isn't going to work.

There is no ideal solution except to blend a variety of things together, for some people email is pretty stable for long time and they like it as the identity, for others their usernames are stable and they prefer that as the identity... though I know of no-one that has had the same primary device for more than years (not decades) so perhaps that one will never work.

I do think this is important though, where it comes up a lot is a work email account, a first.last@company.com, and how all of the vendor software utilises "Sign in with Google", and it's the email address they then store in the vendor app as the identifier...

People get married, people get divorced, people transition, people move culture and choose new names... names change, and so do email addresses.

Perhaps OIDC and the like needs a new extension: a standard API to change a username, and a standard API to change an email address.

seydor
47 replies
2d3h

People also have a right to lose everything and start a new life. this is something that people could do just a few decades ago

popcalc
43 replies
2d2h

Registered sex offenders in many U.S. states lose this right.

https://www.youtube.com/watch?v=eWPtAJS1kro

stevenpetryk
35 replies
2d2h

that makes sense

diggan
33 replies
2d2h

Doesn't some states have really arbitrary rules for what constitutes "enough" to be called a sex offender? Things like visiting a prostitute, urinating in public, consensual sex between two teenagers and more requires you to register as a "sex offender" in some states. Should that suddenly mean you shouldn't be able to start anew online?

philwelch
21 replies
2d2h

Yes. If you don’t think some offenses should be punished with sex offender registration, we can discuss changing those particular statutes, but that’s no reason to allow violent rapists and child molesters to evade registration.

AnthonyMouse
20 replies
1d23h

Eliminating registration requirements so we don't have to institute a tracking system and prevent anyone else from starting over when >99% of the public is not a sex offender is not "evading registration", it's eliminating it.

If someone is still a danger to the public then maybe don't release them from prison.

philwelch
10 replies
1d15h

I would gladly support life sentences or even the death penalty for rapists and child molesters, but unfortunately a lot of people like to complain about “mass incarceration” so most states don’t have the ability to fund the necessary prison facilities. If we’re going to let them out of prison, the least we can do is to try and keep these people away from children.

AnthonyMouse
9 replies
1d8h

"Mass incarceration" is from the war on drugs and general over-criminalization of society. Let out the non-violent drug offenders and there will be plenty of cells for the rapists and pedophiles.

philwelch
8 replies
1d1h

That’s not true. Consider the following graph: https://substackcdn.com/image/fetch/f_auto,q_auto:good,fl_pr... (source: https://inquisitivebird.substack.com/p/crime-in-the-usa)

62.5% of sentenced prisoners committed violent crimes, which includes 15% for murder and 15.5% rape and sexual assault. All drug offenses put together make up only 12.6%.

Eisenstein
7 replies
22h34m

Sounds like your stats support the argument that if we let out the drug offenders there will be plenty of space, since it effectively doubles the amount of room currently taken by those convicted of rape and sexual assault.

Also, you haven't considered length of terms.

If 62.5% are serving for violent crimes, they are most likely serving longer sentences than those convicted only of drug offenses. This means over the time of one violent criminal's stay in prison, you have maybe 1.5 or 2 or even 3 or more drug offenders being taken in and released. This doesn't affect the amount of people in prison at one time, but it affects the amount of people who end up going to prison.

philwelch
6 replies
22h21m

By the same token, life sentences for rape are going to take up a lot more prison capacity than you’re accounting for. If you change a rape sentence from ten years to life (and a ten year sentence might mean you get out in six), you could end up 5xing or 10xing the number of prisoner-years the system needs to handle from the same population of offenders.

Also by the same token, you’ve essentially made my case that “mass incarceration” is more a consequence of harsher sentences for serious violent crimes than it is a consequence of drug prohibition. If you favor even harsher sentences for serious violent crimes (I do too) then you need to accept that this will require significantly more prison capacity. Either that or we need to start talking about expanding the death penalty, and expediting the appeals process in capital cases so it can be applied at scale.

Eisenstein
5 replies
22h12m

I think your case is overly simplistic. My response was pointing out that quoting basic statistics is not going to explain anything, and diving beyond the surface will reveal complications. Move on to 'violent crime caused by drug prohibition' to see yet another aspect of this. I am not making any argument beyond this.

philwelch
4 replies
20h39m

It doesn’t really add anything to the discussion to wave your hands around, say “it’s more complicated than that” if you’re not prepared to seriously explore the consequences of the complications you’re bringing up. For instance, you raised the complication that prison term length will have certain effects on the amount of prison capacity required for a class of crime. Fair enough, but once we actually explore that complication in depth, the conclusion is that lengthening prison terms for rape will consume significantly more prison capacity than you can free up by completely eliminating prison terms that are already relatively short. Likewise, unless you have some sort of data-backed argument as to how and why eliminating drug prohibition will change the conclusion that we will need more prison capacity to incarcerate all sex offenders for life, you’re not actually making any useful point.

Eisenstein
3 replies
18h5m

There is no way to have a real discussion about this without actually being informed. Pointing out that your feelings about how rapists should be sentenced should not depend on whether or not drug prohibition is just because of 'room in the prisons' is perfectly valid. Statistics that mean nothing without broader context and analysis are pointless and misleading.

philwelch
2 replies
12h1m

There is no way to have a real discussion about this without actually being informed.

I don’t know about you but I don’t have this problem.

Pointing out that your feelings about how rapists should be sentenced should not depend on whether or not drug prohibition is just because of 'room in the prisons' is perfectly valid.

It’s completely beside the point here. I’m making the argument that if we want to incarcerate rapists for life, we will need the prison capacity to do so. Which means, keeping everything else equal, building more prison capacity and increasing the degree of “mass incarceration” in the country. Something that is a very controversial suggestion to say the least.

AnthonyMouse responded with the claim, “Let out the non-violent drug offenders and there will be plenty of cells for the rapists and pedophiles.” I could have backtracked and tried to make the argument that one has nothing to do with the other. But there was no need because I could, and did, simply refute AnthonyMouse’s claim directly.

Statistics that mean nothing without broader context and analysis are pointless and misleading.

You’re clearly implying this is a mistake that I’ve made. I don’t think that it is. While you’ve pointed out a specific complication that I didn’t explicitly mention (the relationship between length of prison term and share of prison population), this complication doesn’t undermine my point but rather strengthens it. You made a further suggestion that maybe we should consider the violent crime that’s caused by drug prohibition. That would be a fine counterargument for you to make! Bring your own data and analysis and maybe we can both learn something.

The problem is that it’s a lot easier for you to sit there and criticize me for not bringing enough “context and analysis” when you’re not bringing any of your own. If you have a point to make, make it. Don’t complain that my arguments are “simplistic” when you’re just going to make lazy sniping comments and expect me to do the work of making your counterarguments for you.

Eisenstein
1 replies
10h48m

My point is that you have a solution which, correct me if I am wrong, is 'let them out because we can't jail them forever because we don't have room, so then we have to put them on a registry'. You act as if this claim is practical (or even sensical), and then defend it by using statistics. I shouldn't have bothered pointing out your statistics are pointless and should have pointed out that your claim is based on a false premise.

Sex offender recidivism is a complicated topic that is very difficult to study, and 'sex offenses' are not something that are standardized between societies or systems, and acting like your solution is a decent one means that you think that a simple solution can solve a complex problem.

Thus any conversation you are going to have on the topic is going to be fruitless unless you are trying to push an agenda with no regard for a real path forward.

I don’t know about you but I don’t have this problem.

One can be intelligent and intuitive but without the proper background and without the awareness to know when out of depth then a lot of damage can be done.

philwelch
0 replies
1h51m

My point is that you have a solution which, correct me if I am wrong, is 'let them out because we can't jail them forever because we don't have room, so then we have to put them on a registry'.

You’re wrong, so let me correct you. As per my previous comments, I’d be perfectly happy executing the lot of them. I don’t think that’s politically feasible, so as a compromise, I would be satisfied building as many prisons as are necessary to incarcerate them for life. But even that is politically infeasible, largely due to widespread misconceptions about the bogeyman of “mass incarceration”—including the misperception that mass incarceration is primarily a consequence of drug prohibition. So now that we’re backed into the corner where rapists and child molesters are eventually released from prison anyway, I much prefer them to be registered as sex offenders than for them not to be registered as sex offenders.

Since Anthony has some sort of problem with sex offender registration and was the one to suggest life imprisonment in the first case, I pointed out that the natural consequence of such a policy would be the expansion of “mass incarceration”. I wanted to see if Anthony was serious enough about life imprisonment to accept the necessary tradeoffs of such a policy. He replied by claiming that mass incarceration is the consequence of drug prohibition and that the required prison capacity could be freed up by releasing nonviolent drug offenders. This claim is false and I refuted it.

I shouldn't have bothered pointing out your statistics are pointless

No, you shouldn’t have, because they aren’t. The point was to refute Anthony’s claims that mass incarceration is the consequence of drug prohibition and that the required prison capacity could be freed up by releasing nonviolent drug offenders. If you would like to refute my refutation, please feel welcome to introduce whatever data and analysis you have toward that end. I only ask that you put forth the effort yourself instead of gesturing vaguely in the direction of a refutation and then scolding me for not doing the work of presenting your side of the argument.

Sex offender recidivism is a complicated topic that is very difficult to study, and 'sex offenses' are not something that are standardized between societies or systems, and acting like your solution is a decent one means that you think that a simple solution can solve a complex problem.

The rate of recidivism among dead men is zero, and while lifelong prisoners do engage in recidivism against other prisoners, at least they aren’t committing crimes against the rest of society. So there actually are relatively simple solutions available to us. If we are all in agreement that we are willing to bite the bullet and increase the scale of either the death penalty of mass incarceration, I would be satisfied.

When people object to sex offender registration by asking “why are we releasing them from prison in the first place?”, I am not actually convinced that they are serious about lifelong incarceration. I worry that they are using this point as a rhetorical cudgel and have no intention of actually accepting a policy of lifetime incarceration for sex offenders, especially when such a policy would likely conflict with what I reasonably presume to be their attitudes about “mass incarceration”. Now, maybe my presumption was wrong and Anthony is actually totally fine with mass incarceration, but if that were the case he would have said so. Instead, he introduced the canard that mass incarceration was the consequence of drug prohibition. He provided zero data to back up this claim and the data I provided refutes it. Anthony had no response and your responses have been little more than pointless bromides about how these issues are “complicated” with next to no data or analysis on your part about what these complications might be or why they would change our conclusions.

Thus any conversation you are going to have on the topic is going to be fruitless unless you are trying to push an agenda with no regard for a real path forward.

Between the two of us, you’re the one who is struggling to contribute anything that could make this conversation fruitful. I hope I’ve clarified my position well enough for you to add something of substance. For one, I’m not actually clear on what specific position you’re taking here, other than “against Phil”. Perhaps this is another presumption on my part, but I assume that when people argue with me, it’s because there’s some point they disagree with me on. So what is it?

jrockway
8 replies
1d22h

I think it's a cost/benefit thing. People react strongly to sex crimes, and many people don't agree with the state the 20 years in prison or whatever was enough, so this allows the state to spend $0 on incarcerating someone and still placate those voters.

I don't know why we don't do this for all crimes, though. Why no murderer registration list or bad-check-writer registration list? I guess those we outsource to the private sector.

AnthonyMouse
6 replies
1d21h

People want rapists and pedophiles to burn in hell. They don't feel the same about bad check writers, and first degree murder already carries the death penalty in the relevant jurisdictions, but sex crimes generally aren't punishable by death.

It's probably because sex crimes are extremely hard to prove. If there is a murder, somebody is dead and somebody killed them. It's not that ambiguous. Consent can be extremely ambiguous. It drives people mad because you want every rapist to be six feet underground and every falsely accused innocent person to be free but there are all too may cases, plausibly the majority of cases, where there is no way for the system to conclusively distinguish them.

And then we hesitate to kill rapists because we're uncomfortable about that when it's so easy to get it wrong, but if we don't, people feel the guilty ones are being insufficiently punished. This is kind of a recipe for ending up with bad laws.

pseudalopex
3 replies
1d19h

Sex offender registries are not limited to rapists and pedophiles. Jurisdictions without death penalties have sex offender registries. And some other crimes receive longer prison sentences.

AnthonyMouse
2 replies
1d19h

Sex offender registries are for rapists and pedophiles. Putting people on them who were arrested for urinating in public is the sort of negligence that rarely gets addressed because it doesn't affect a powerful lobby. But that kind of intractable bureaucratic scope creep is another argument for not having them.

The sentence isn't the longest of any crime for the same reason it isn't death (or, for the jurisdictions without the death penalty, the same as their penalty for murder).

pseudalopex
1 replies
1d17h

Sex offender is not a natural category. Registration statutes specify relevant crimes. People who urinated in public were compelled to register because statutes specified genital exposure. Buyers and sellers of consensual sex between adults were compelled to register because statutes specified consensual sex between adults.

The difficulty of proving rape is why rape conviction rates are low. Imprisonment for rape is shorter than imprisonment for murder because most people consider murder worse than rape.

AnthonyMouse
0 replies
1d16h

People who urinated in public were compelled to register because statutes specified genital exposure in order to cover flashers but were overly broad and non-discretionary, causing an absurd result. Statutes covered flashers and prostitution because of scope creep; once you create a machine people want to use it for things. It's fairly obvious that there would be no registry to begin with if there were no rapists or pedophiles.

The difficulty of proving rape is why rape conviction rates are low.

Even despite the low conviction rate, rape convictions are reversed at a higher rate than other crimes, because it's so difficult in those cases to know the truth.

Imprisonment for rape is shorter than imprisonment for murder because most people consider murder worse than rape.

Many countries historically imposed the death penalty for rape and a few still do. Typically the ones less concerned about proof beyond a reasonable doubt in general.

People viscerally hate rapists and, even more, pedophiles. Murder is nominally worse but not by much. The penalty for rape and second degree murder are typically about the same. In multiple US states the penalty for rape is higher.

lostlogin
1 replies
1d21h

People want rapists and pedophiles to burn in hell.

Do they? A quick mental scan of well know paedophiles suggests that famous ones face limited repercussions.

AnthonyMouse
0 replies
1d21h

"Powerful people evade justice" is a different issue. That doesn't really depend on what they did.

philwelch
0 replies
1d15h

That’s what criminal background checks are for. Lots of criminal convictions have lifelong consequences, many of which are meant to prevent recidivism. People who are convicted of violent felonies are barred from owning firearms, people who are convicted of securities fraud are barred from working in positions where they are capable of committing securities fraud, and people who are convicted of sexual offenses are kept away from children. All of these restrictions seem reasonable to me.

javajosh
8 replies
2d2h

How is urinating in public a sex offense? I'm releasing urine not having sex with it.

codetrotter
3 replies
2d2h

Because in order to pee you have to expose your genitalia. I suppose the laws were made so that anyone exposing genitalia could be charged for it.

That being said, it is completely stupid that people are actually made to register as sex offenders when they really were just peeing. Doubly so when they did so without anyone other than themselves seeing their private parts.

kshacker
2 replies
1d23h

in order to pee you have to expose your genitalia

They should visit India once. Of course many people will pee against an object (wall, tree) but at times not so hidden

Incidentally saw this funny discussion yesterday (the comments are funny): https://www.reddit.com/r/unitedstatesofindia/comments/18ufbu...

I think these United States have gone way above and beyond their duty as far as calling people sex offenders (not saying that Indians are right)

popcalc
1 replies
1d19h

You just need to go as far as Budapest.

pavel_lishin
0 replies
1d

You just need to go as far as Brooklyn on the subway.

pc86
0 replies
2d1h

Pee in public within a certain distance of a school and you'll probably find out.

mythrwy
0 replies
1d18h

I know a guy that happened to. He was drunk and urinating by the side of the road in plain view and wound up registered as a sex offender. West Texas.

This is his story that I've not independently verified, but I don't think he was an actual sex offender from what I knew of him. He was certainly a drunk though.

bigstrat2003
0 replies
2d1h

Because the law is badly written sometimes.

BeFlatXIII
0 replies
1d3h

Because people may wee your weewee.

pacifika
1 replies
2d1h

Source?

fantasybroker
0 replies
2d
scotty79
0 replies
2d

It's kind of weird that sex offences are treated specially. I'd like to know if I live around someone who gave in to plain violence as well or if someone stolen something significant enough.

Either we are giving people second chance without stigma or we are tracking everyone forever. I'm fine with both.

spencerchubb
6 replies
2d1h

Sex offenders should lose rights. This video is trying to draw sympathy for a 19 year old hooking up with a 14 year old, and that is plain evil.

fantasybroker
5 replies
2d

"Sex offender" at least in the US is a ridiculous classification that includes people who peed in a fountain while drunk. I don't think they should be punished for the rest of their life and be on a public list with serial rapists.

noidea_
3 replies
1d23h

No it doesn't. There are zero people on the registry for urinating in public. This is a myth that pedophiles like to claim.

You'll find thousands of articles about it. You won't find a single case.

fantasybroker
1 replies
1d23h

No it doesn't. There are zero people on the registry for urinating in public. This is a myth that pedophiles like to claim.

Yes it does. Puppy killers like to claim that it doesn't. /s

Here are a few examples with names: https://www.menshealth.com/trending-news/a19541024/you-might...

There is a ton of posts from lawyers confirming the fact that in many states you can get convicted for public urination and put on the sex offender list. For example, here is a post from a Texas-based lawyer: https://www.craiggreeninglaw.com/can-you-really-become-a-sex...

The reason it's so hard to estimate the real number of these cases is that the crime is listed as indecent exposure or lewdness.

trogdor
0 replies
1d3h

I believe that sex offender registration laws are problematic. But so is that Men’s Health article.

Yes, the article contains actual names. Thing is, none of those people are registered sex offenders:

1. Juan Matamoros is not a registered sex offender.

2. Julie Amero was a crazy case involving false testimony by a police officer. Her conviction was vacated on appeal, and she is not a registered sex offender. (That all happened long before the article was written.)

3. Wendy Whitaker is no longer a registered sex offender.

4. Janet Allison is no longer a registered sex offender.

5. Eric Williamson was acquitted. He was never a registered sex offender.

Men’s Health is not a reliable source for investigative reporting.

goatlover
0 replies
1d18h

This isn't reddit. And that's a terrible form of argument.

spencerchubb
0 replies
1d17h

Okay. I can agree that that subset of sex offenders shouldn't be defined as sex offenders.

toomuchtodo
1 replies
2d2h

Highly dependent on jurisdiction.

BeFlatXIII
0 replies
1d3h

Ditching a jurisdiction where it’s illegal to start afresh in somewhere the tradition is welcome is part of the process.

newsclues
0 replies
2d3h

Oh really?

As someone that once faced serious jail time for plants, I think that would have been a nice option, but I wasted two years of my life in court/etc.

dcow
33 replies
2d1h

Passkeys aren’t device-bound. I think they’ll work just fine.

The real problem, though, is that we seem to need digital identity solutions to be perfect as opposed to “good enough”. No solution is perfect and we’ll be stuck on email as long as the enterprise security nuts (who need everything device-bound and vendor attested) and anon-in-the-ether privacy schoolers (who think any stable identifier whatsoever is a heinous crime) are part of the conversation.

Imagine if everyone just used mobile drivers licenses issued to whatever self-sovereign wallet the user chooses. Identity issuing, revocation, and recovery is then handled by all the things society has already built to handle meatspace identity. Account recovery involves a trip to your local gov’t office to re-issue your ID credential. Which means you need some chain of trust to your birth certificate. You’re going to treat your mDL credential wallet with a lot more reverence if that’s the recovery flow, so some of these problems solve themselves if we stop using punk short-names everywhere online.

Relying parties that need human uniqueness, age, and/or nationality guarantees use the mDL verifiable credential. Law probibits relying parties from aggregating and selling/transferring information obtained for purposes of authentication from a VC. Ad-tech privacy problem solved.

Services that don’t need proof of human uniqueness etc. can just skip the VC part of the equation and use basic passkeys and implement short-name reclamation.

AnthonyMouse
9 replies
1d17h

Imagine if everyone just used mobile drivers licenses issued to whatever self-sovereign wallet the user chooses. Identity issuing, revocation, and recovery is then handled by all the things society has already built to handle meatspace identity.

But why do you need to tie it to your driver's license? Tie it to whatever kind of account recovery token you like, put that in a safety deposit box at a bank (available for ~$20/year), and then you can get access to that with your government ID if all else fails.

This requires no new infrastructure to screw up or get broken into and doesn't tie your internet activity to your name while still allowing you to use your name to recover your accounts.

Relying parties that need human uniqueness, age, and/or nationality guarantees use the mDL verifiable credential.

This is variously unnecessary and ineffective.

The correct way to do age verification is to ask the client's browser if the user is a minor. If the user is a minor, either their parents will have configured the device to answer truthfully or the minor has access to an adult willing to allow it, against which no remote system is secure anyway because the adult has an adult ID.

This is the same reason human verification doesn't work like that. You still have no idea if you're talking to a human, all you know is the device on the other end has somebody's ID attached. Individuals who aren't supposed to be using AI still have a human ID and criminal organizations not only have their own IDs but also any they can steal.

It's not clear why proving nationality over the internet is necessary but most of the obvious use cases are dystopian and requiring you to visit a physical office once in your life to prove your nationality to some bureaucracy (after which you can use your account) seems like a minor burden -- and more secure -- than trying to do this.

That kind of system is not worth the candle. The tracking risk is large, the benefit is small, there are too many ways to screw it up and it would inevitably be politically compromised and hard to change.

dcow
8 replies
1d9h

You can use whatever credential society is willing to trust. Practically that’s a state-issued ID.

All I’m arguing is that we should extend the concept of your state ID cryptographically into cyberspace. Amd that it should be used for recovery flows where real identity matters. There’s nothing new here (society already works this way) other than the protocols and specs to agree on document and signature format, which is luckily something we happen to excel at managing.

None of your counter suggestions solve any practical problems. A liquor store isn’t going to simply “ask the user” whether they’re of age. They need more formal proof. Users don’t rent safe deposit boxes at banks, and even if they did that would be chained back to your physical ID anyway so your apparent solution isn't a real solution.

The dystopian worries are hyperbolic and mostly FUD. If a service needs your info and you need the service, you’ll give it to them.

Anyway mobile DL is already happening. I’d rather a state that I have at least a modicum of control over be the root of my digital identity than some corporate run email system than can evict me without cause.

AnthonyMouse
7 replies
1d8h

You can use whatever credential society is willing to trust. Practically that’s a state-issued ID.

Nearly every institution trusts the credentials that it issues. Your employer trusts your ID badge that they issued. Your bank trusts your bank card that they issued. Why does anything else even need to exist?

All I’m arguing is that we should extend the concept of your state ID cryptographically into cyberspace.

And then it will be designed poorly but everything will start requiring it because the poor design will allow it to be used as a tracking ID (even if it was claimed not to, because malicious corporations are clever), but once everything is using it the poor design will be difficult to change. See social security numbers (which never should have been public).

A liquor store isn’t going to simply “ask the user” whether they’re of age.

A liquor store doesn't need to verify identity over the internet because you're standing in the liquor store. Unless it's an internet liquor store in which case they already have your identity because you've provided them with payment info and a shipping address, and checking ID at the point of sale is useless when it's the point of delivery you care about, i.e. you need the delivery driver to check it. Otherwise minors can just buy alcohol with an adult's ID unbeknownst to both the seller and the adult, and have it delivered to themselves where nobody checks who receives the package.

You can't verify age over the internet because you have no way to know if the credentials being used are those of the user or someone else. In person you compare the picture on the ID to their face, or can notice if they're clearly a child.

Users don’t rent safe deposit boxes at banks, and even if they did that would be chained back to your physical ID anyway so your apparent solution isn't a real solution.

The bank doesn't even know what's in the box, and you're not required to use a bank if you don't want to. You can use any safe place you'll still be able to access even if your house burns down etc. A safety deposit box is an example of such a place which is relatively inexpensive. Many people do in fact use them to store important documents -- that's one of the main things they're for.

The dystopian worries are hyperbolic and mostly FUD. If a service needs your info and you need the service, you’ll give it to them.

If you make it easy to demand then services that don't need the info will demand it, and then you'll give it to them because you need the service. Which is the evil to be prevented, by making it hard to demand, so only services that actually need it will demand it.

Anyway mobile DL is already happening.

That which is made can be unmade. Easier if done sooner.

I’d rather a state that I have at least a modicum of control over be the root of my digital identity than some corporate run email system than can evict me without cause.

So buy a domain name for $15/year to use for your email, which you can point to any third party email service if you don't want to host it yourself, and you can point somewhere else if they disappear or become adversarial. Or make it easier for the average person to do this (though it's really not that hard).

dcow
6 replies
1d2h

You’re really missing the point of the whole conversation: account bootstrap and recovery for situations where things like verifying that a real human and not a bot owns the account, that the real human is unique and isn't lying about their name, and that the human is legally allowed to use a service (age) are requirements.

(To your example: we’re talking about bootstrapping an account at a bank not using a bank card as a bearer token. Banks won’t trust a bank card when you tell them you lost your bank card and need a new one, or walk into the branch for the first time to open an account.)

Today we do an entirely shitty job across the board of meeting these requirements. We root trust in essentially the digital analog of your postal address. We TOFU any comms coming from a new address. We use crap like captcha (which is now easily defeated by AI) to try and help establish a pulse. Etc.

Everything you mention about stable IDs existing, corporations abusing the relationship with their users for extra profit, etc., is already a problem today. All a service needs is name and DoB and they can sell info about how you use their service to aggregators for days. Our current system of email addresses doesn’t solve that even remotely. And it makes services that do justifiably need stable IDs reach for crummy insecure, unsafe and terrible options like asking you to upload a photo of you holding your drivers license… talk about creepy shit services shouldn’t be doing. There is no reason we can’t show the user a page that explains exactly what data will be shared with a service when they present any given credential and allow them, not you, to make the choice of whether that’s okey and warranted for the given service.

You’re making multiple logical fallacies: (1) you’re moving the goalposts and arguing that a system that improves our ability to issue, hold, and consume digital versions of a government issued ID is wholesale bad because it doesn’t solve all conceivable problems in the digital ID space even though it solves many. And (2) your resounding reason for the badness is that “it will be designed poorly and used by bad guys” which is just our slippery slope du jour.

AnthonyMouse
5 replies
22h4m

account bootstrap

Why does account bootstrap require any identification? It's a new account with nothing in it. You can't be reading someone else's messages or withdrawing their money because there isn't any. If you're the one opening the account, that's your account, regardless of who you are.

The only reason anybody cares about this even for banks is that it's required by law. But then you show them your government ID one time when you open your account, which doesn't have to be done over the internet, and if you care about the security of it then it couldn't be. Otherwise you can't prove that the presenter of the ID is the person whose name is on the ID. And if you don't care about that (e.g. because to prevent this you're relying on the legal system deterring that with criminal penalties) you can let them provide their name without any ID.

I mean let's ask the question this way: If people have their government ID on their phone and then someday there is a wormable remote root exploit in one of the major phone platforms, a criminal organization now has access to millions of IDs. Not possible when government ID is a physical thing in your wallet. Are we just setting ourselves up for doom? They can steal everyone's money and pin their crimes on whoever they want? Why would you build such an epic single point of failure?

recovery

It doesn't really do that. It just pushes it one level away as if that system can do something different.

What do you do if you lose your bank card? You show them your driver's license. But then what do you do if you lose your driver's license? Regardless of what that is, couldn't you just do that if you lost your bank card? It's not providing anything but another level of indirection. And in either event it's not something that needs to be done over the internet because it's needed so rarely. You don't event want it to happen over the internet, because then someone who can steal or forge a digital ID can steal your bank account from Russia instead of having to walk into a physical branch in the victim's country and put their face on a surveillance camera.

verifying that a real human and not a bot owns the account

I still don't understand how this is supposed to prove anything. The human who operates the bot will have an ID for the bot to use.

that the real human is unique and isn't lying about their name

This is the biggest reason to burn any such system to the ground. Because it only works against honest people. You prohibit victims of government abuse and anyone who doesn't want to be tracked from using a pseudonym, meanwhile serious criminals get IDs by remotely hacking phones or servers or bribing low-level government employees.

Preventing innocent people from being anonymous is an offensive goal.

Banks won’t trust a bank card when you tell them you lost your bank card and need a new one

So then you call them or sign in to the account on their website and have them mail it to the address they have on file, which they'll notify the account holder of by sending text and email.

We root trust in essentially the digital analog of your postal address.

As opposed to the traditional system, which does the same thing with your actual postal address? The government does the same thing as the bank if you lose your driver's license. They mail you another one. In many cases they mail you the first one.

Everything you mention about stable IDs existing, corporations abusing the relationship with their users for extra profit, etc., is already a problem today. All a service needs is name and DoB and they can sell info about how you use their service to aggregators for days.

Which is exactly why you should never have to give them that information, and any system that prevents you from making it up is to be destroyed.

And it makes services that do justifiably need stable IDs

There are so few things that legitimately need this that keeping them clunky and arduous is a huge feature, to keep the demand for it from spreading to services that don't.

There is no reason we can’t show the user a page that explains exactly what data will be shared with a service when they present any given credential and allow them, not you, to make the choice of whether that’s okey and warranted for the given service.

And then all the services that want to track you demand your full name and DOB, use it to track you, and you have to use them anyway because they have a network effect or some other market power, or there are only three companies in the industry and they all do it.

you’re moving the goalposts and arguing that a system that improves our ability to issue, hold, and consume digital versions of a government issued ID is wholesale bad because it doesn’t solve all conceivable problems in the digital ID space even though it solves many

It not only doesn't solve all problems, it only solves one problem -- how to track people who don't want to be tracked, which is a problem that could quite beneficially carry on not being solved -- and in the process it creates multiple new problems that didn't previously exist.

your resounding reason for the badness is that “it will be designed poorly and used by bad guys” which is just our slippery slope du jour.

It's the thing that will happen, because designing such a thing with effective privacy protections is actually an extremely difficult problem even when you're competent and have good motives, but you're asking the political system do to it, which is the thing with a poor track record on technical competence and corrupted by all of the interests who don't want that problem to be solved because they want to track everyone.

dcow
4 replies
20h47m

You're massively oversimplifying reality.

The only reason anybody cares about this even for banks is that it's required by law.

No it's not. Many many services ask for phone number as a proxy for "this is a unique human". Plenty of services ask me to verify my identity with those stupid "which one of these is your address from 2004" questions. Some ask me to upload photos of my drivers license or enter the info from the card. Services where I enter payment require my information. In fact I'd argue that the majority of the critical digital services I use require strong identity be it traditional or web3 crypto-style. It's just the angsty message boards that don't. Heck even social media requires at least a phone number these days. I simply don't buy your unfounded assertion that "the majority of relevant digital services don't need strong identity". Strong identity should be the default, anonymity only when needed or desired by a select digital community.

Are we just setting ourselves up for doom? They can steal everyone's money and pin their crimes on whoever they want? Why would you build such an epic single point of failure?

The iPhone has been remotely exploitable since its introduction. Still, I don't know of a single Secure Enclave exfiltration exploit because it's hardware separated. Regardless, your doom and gloom scenario has yet to play out so I'm calling FUD.

But then what do you do if you lose your driver's license? Regardless of what that is, couldn't you just do that if you lost your bank card?

There is no that. You get your license re-issued or maybe you can use SSN (which is so bad and doesn't solve anything because we devolve to digital SSN instead of DL). I don't know of any banks that let you bypass identity verification because you lost your credential. You have to go get a new credential. Fun fact, phone companies are now requiring ID verification via state issued credentials to make changes to your account. Simply having the account login credentials aren't enough anymore. Lost an hour at the Verizon store trying to get my mom a new phone for the holidays only to learn she needs a DL.

I still don't understand how this is supposed to prove anything. The human who operates the bot will have an ID for the bot to use.

Nobody cares if the human uses a user-agent software to browse the web. What people care about is humans having multiple accounts, gaming systems, spamming communities, being bad actors, etc. All these things are enabled by a lack of scarcity in identity or anonymity (two sides of the same coin). Because strong identity is scarce, you don't get to make up accounts for a bot and then just roll a new one when that bot is banned. You get one shot and if you blow it and don't play by the rules your account is banned, your spam and abuse potential is now zero instead of one.

You prohibit victims of government abuse and anyone who doesn't want to be tracked from using a pseudonym, meanwhile serious criminals get IDs by remotely hacking phones or servers or bribing low-level government employees.

If you're being targeted by your government then you can't use systems with strong identity anyway (whether it's form the 20th or 21st century isn't important), so it's a moot point. You can't use banks with KYC because all your accounts are frozen or being watched. You can't communicate using government regulated comms channels. Like it or not we cede a monopoly on violence to our governments. If you don't like yours then move elsewhere or yes reach for true anonymity and operate beyond the pale.

As opposed to the traditional system, which does the same thing with your actual postal address? The government does the same thing as the bank if you lose your driver's license. They mail you another one. In many cases they mail you the first one.

Nooo. Trust is not rooted in your address. It's rooted in presentation of a birth certificate and residency documents to a government agency. Only after you attest to your name and bind your name to an address is an address trusted. They don't just say "oh you say your name is Paul? Great where's the best address to send this credential?", (and FWIW some even print you the credential on the spot avoiding the postal system).

The fact that you either don't understand this or haven't taken the time to be careful enough about this nuance tells me you're firmly in the camp of tinfoil hat anonymity purists, and that your opinions on the matter of practical human identity can be pretty much discarded as such. No offense. I mean you said this:

Which is exactly why you should never have to give them that information, and any system that prevents you from making it up is to be destroyed.

Any system where I can't just make up arbitrary details about myself is to be destroyed. Okay that's practical.

There are so few things that legitimately need this that keeping them clunky and arduous is a huge feature

I don't even need to rebut this statement because it's so asinine it discredits itself.

And then all the services that want to track you demand your full name and DOB, use it to track you, and you have to use them anyway because they have a network effect or some other market power, or there are only three companies in the industry and they all do it.

FUD and arguing past me. I said we need legislate the use of PII from digital credentials. We already live in a world where companies abuse everyone. We are beyond fucked on that front. So the solution isn't "stifle all innovation because it could make you slightly easier to stalk". The solution is build a strong robust framework around which information is clearly in the domain of user-controlled identity/PII and that shall not be abused without consequence, and then enforce the law. How is that not clear? The problem is EXACTLY that we can't stand up as a society and point to digital PII, because it doesn't actually exist in a clear form. We live in a blurry purgatory where nobody knows what exactly is an identifier and how it should be respected because we don't have strong digital identity. The ad industry doesn't need a credential document to track you. They just tag you with their own UUID when they see you and your shitty browser (also built by ad-tech) does the rest. Zzz...

It not only doesn't solve all problems, it only solves one problem -- how to track people who don't want to be tracked, which is a problem that could quite beneficially carry on not being solved -- and in the process it creates multiple new problems that didn't previously exist.

That's not even a charitable interpretation of what I'm arguing. Thanks. It doesn't create a single new problem (or if it does it's strictly in the realm of unsophisticated doom and gloom tirade FUD). It makes a shitty system better for the vast majority of humans who'd aren't super fond of internet trolling, scalping, spam, bullying, and all manner of activities that our current system tacitly glorifies.

It's the thing that will happen, because designing such a thing with effective privacy protections is actually an extremely difficult problem even when you're competent and have good motives, but you're asking the political system do to it, which is the thing corrupted by all of the interests who don't want that problem to be solved because they want to track everyone.

Privacy is not one dimensional. If you're competent you understand that privacy isn't "nobody knows anything about me". Privacy is about only sharing sensitive information with people you trust. A functioning social society involves trust. Trust no-one is not a valid pragmatic mantra. A system where the commons agree on a stable identifier and credential and then each individual is able to present the credential, attenuate the claims (e.g. transform a strong meatspace ID into a weaker but still unique pseudonymous ID for services that don't need meatspace details but still need functional identity), etc. is exactly what we need to solve problems and make progress. What we don't need is to tear down society and all become faceless anons by default.

I guess this discussion probably boils down to a difference in philosophy. I'm a humanist. I want technology to augment and enhance human systems. I don't want to evolve into a trans-humanist hive mind type of civilization where we're all faceless interchangeable worker bees without any sort of reputation or identity.

---

Addendum: FWIW I suspect the idea of a credential with everything a traditional drivers license has is tripping you up mentally. In the actual implementation the user is issued a selection of credentials with varying claims and can choose which one to present to any given service. The user only reveals the minimum information they're comfortable sharing with any given service. This is an enhancement possible with a digital system that's cumbersome with physical cards since sending your all the different permutations of a DL with different fields included would be unwieldy and expensive.

AnthonyMouse
1 replies
13h45m

[2/2]

The solution is build a strong robust framework around which information is clearly in the domain of user-controlled identity/PII and that shall not be abused without consequence, and then enforce the law. How is that not clear?

That has two major problems.

1) There is no way to verify what they do with it. Once they have the information, what they do happens entirely within their own organization, which the user has no way of knowing. They'll lie about it, or secure it inappropriately and then have it leaked. The only real solution is for them never to have it to begin with, not laws on what they can do with it that nobody can verify.

2) Defining PII in this way is basically hopeless, because whether something is personally identifiable is context-specific.

You want to prevent a social media company from getting your PII, so you never give them your name or date of birth, all they have is your username with them. If the same company owns a retailer, you make a separate account with the retailer and the social media service still doesn't have a physical address for your social media account even if the retail service does.

Give that company a way to prevent you from having "two accounts" and now you have one account and your social media account is correlated with your name and physical address. But they get to claim they need the information because the retailer has a legitimate need for your shipping information. And the username goes from not identifying you to identifying you.

We live in a blurry purgatory where nobody knows what exactly is an identifier and how it should be respected because we don't have strong digital identity.

How would "strong digital identity" change that? All it would do is create an additional form of PII. All of the others would still be there and be just as uniquely identifying, including the ones that weren't created to be or appear to be at first glance but are, or are in combination with some other variables they also know.

The ad industry doesn't need a credential document to track you. They just tag you with their own UUID when they see you and your shitty browser (also built by ad-tech) does the rest.

It's not that hard to maintain multiple identities and keep them separate. The easiest way for laymen is to use separate devices; older devices are cheap and more than fast enough for basic internet use if you just want to read the news on a device that doesn't know where you work etc.

Forced single identity kind of throws that out the window as soon as they find any way to correlate accounts using the same ID, and do you really think they won't?

It doesn't create a single new problem (or if it does it's strictly in the realm of unsophisticated doom and gloom tirade FUD).

Okay, here's a single, specific, new problem: If your government ID is digital rather than physical then things that used to require a criminal to be physically present in your jurisdiction can now happen over the internet from countries where they have no fear of prosecution.

It makes a shitty system better for the vast majority of humans who'd aren't super fond of internet trolling, scalping, spam, bullying, and all manner of activities that our current system tacitly glorifies.

There are alternate ways to address these problems that don't involve massive centralization of authentication.

Privacy is not one dimensional. If you're competent you understand that privacy isn't "nobody knows anything about me". Privacy is about only sharing sensitive information with people you trust.

That's kind of the point. You're already free to give truthful information to anyone you trust. Now what do you do if you don't trust someone but they demand your info anyway and you're not in a position to refuse?

I want technology to augment and enhance human systems. I don't want to evolve into a trans-humanist hive mind type of civilization where we're all faceless interchangeable worker bees without any sort of reputation or identity.

There is a difference between faceless anonymity and having multiple identities. The latter is how human society has always operated. People behave differently in front of their parents and their friends. They wear different clothes to work and to play. They say things in confidence to people they trust that they wouldn't say to people they don't.

But now you're not just saying it to the people you trust, you're saying it to people you trust and a huge corporation who records it forever and often gets breached. Keeping a thick line between these different identities is something we need to support, not inhibit.

You're really looking for a rate limiter to prevent someone from creating a million accounts. You don't have to merge everyone's pseudonyms into a totalitarian centralized identity system for that. All you need is something that puts a price on account creation. A literal price would work fine. So would a dozen other things.

The real problem is that services don't want something that adds friction to account creation, but they do want to track everyone. And what I'm saying is that we should fight against making the tracking everyone thing frictionless.

dcow
0 replies
22m

Now what do you do if you don't trust someone but they demand your info anyway and you're not in a position to refuse?

Can you explain when this is the case? You can always vote with your feet and not use x|y|z.com. Not a once have I been forced to used some piece of software in my personal life.

The latter is how human society has always operated. People behave differently in front of their parents and their friends. They wear different clothes to work and to play. They say things in confidence to people they trust that they wouldn't say to people they don't.

I'm not actually arguing that socially we shouldn't have "Personas" or access to multiple email addresses or whatnot, etc. I'm arguing that personas should be specifically chosen by products on top of a strong cohesive underlying human identity system (by not using some global id as a primary key in the users table or even storing it in the first place, or by allowing a less strict form of authentication). If your message board doesn't need to enforce uniqueness of humans, or enforce that posters use a real name, then it simply doesn't (maybe email is good enough for it). However, if your bank does need to, it has a good way to do so not a shitty one. And as a user I'd rather my account recovery be rooted in a socially robust system even if higher order services don't need to chain their account/user records back to a unique person ID.

You're really looking for a rate limiter to prevent someone from creating a million accounts. You don't have to merge everyone's pseudonyms into a totalitarian centralized identity system for that. All you need is something that puts a price on account creation. A literal price would work fine. So would a dozen other things.

That's not what I'm looking for but I don't disagree that it's a solution to some of the spam and bot type of problems.

I'm looking for a strong digital identity system not rooted in a digital postal address. Some people are allergic to the idea because of all the ways it could theoretically be abused. I simply don't buy FUD around how an strong identity system could be abused to be reason not to build it. Powerful tools come with great responsibility. I believe there are enough people who care involved that we could develop and wield a better system than "your email is you" responsibly as a society. I actually think that a strong identity system would help us avoid slipping into a totalitarian nightmare where all the tracking happens in the dark behind the veil (essentially what we have today). I want people that need to track you to declare it loud and clear so that I can make informed trust decisions on a service by service basis.

Anyway you really seem to be arguing from a position where you assume this tool will be used unilaterally by everyone for bad. I simply don't buy it. Your fear is noted, and I think we've discussed as much as is productive at this point.

withinboredom
0 replies
8h39m

Many many services ask for phone number as a proxy for "this is a unique human".

This is how we end up with personal accounts as an admin of Facebook ads of fortune 500 companies, and the like. By not allowing multiple accounts, you prevent partitioning of life/business, you prevent abused spouses from creating a secret identity to seek help through, you prevent whistleblowers from blowing the whistle, you prevent people from being able to have conversations about part of their life they don't want associating with their identity.

Strong identity should be the default

People can have multiple passports! They can choose which passport to show when entering a country. I have a US ID and a Dutch ID, a US social security number and a Dutch one, a US phone number, and a Dutch one. Why should I have the privilege to have multiple accounts while you do not, simply because I moved to another country?

Lost an hour at the Verizon store trying to get my mom a new phone for the holidays only to learn she needs a DL.

Why should only people who have driver's licenses be allowed to get a phone? That seems ridiculous.

You get one shot and if you blow it and don't play by the rules your account is banned

Since I've moved to the EU, I have many friends who get banned simply because their written English is bad enough to be considered a bot. How does identity prove they are a human and not a human running a bot? Please tell me this. I'm quite interested in this.

In the actual implementation the user is issued a selection of credentials with varying claims and can choose which one to present to any given service. The user only reveals the minimum information they're comfortable sharing with any given service.

How is this different than what we already have? I can choose to give a service as little true information as I want. Do you just want some cryptographic user/pass that is attested via a government? What do you do if a government revokes a user's id (aka, deportation, lost id, etc)? Can they still log in? What if it expires, is it still valid for your service? My US driver's license is long expired, but it still asserts my identity even though I can no longer use it to prove I know how to drive.

I don't think this is very well thought through, nor is it realistic once it hits any sort of common edge case. I really hope nothing like this ever happens.

AnthonyMouse
0 replies
13h46m

[1/2]

Many many services ask for phone number as a proxy for "this is a unique human".

Anyone can get as many phone numbers as they want for less than $5/each.

And there is a better way to rate limit account creation -- you pay $5 to create an account. For a legitimate user this is a nominal one-time fee, but a spammer has their account banned in minutes and has to pay over and over, and the fee directly pays the costs of fighting spammers so the more there are the more funding you get.

The biggest problem with this is, ironically, that we messed up our payments systems so that it's really hard to pay anyone over the internet without disclosing your identity. Which makes "pay a nominal fee instead of giving your identity" pretty hard to implement. If you want to fix something, fix that.

Strong identity should be the default, anonymity only when needed or desired by a select digital community.

Anonymity has to be the default because it's needed by specific people rather than specific communities. Most people on some huge social network don't need to be anonymous but the minority who do need it desperately. They're a minority that needs to be protected even though a conglomerate would be willing to steamroll over them because they're not a large enough population to affect the bottom line.

The iPhone has been remotely exploitable since its introduction. Still, I don't know of a single Secure Enclave exfiltration exploit because it's hardware separated. Regardless, your doom and gloom scenario has yet to play out so I'm calling FUD.

It hasn't been a huge problem because the majority of people haven't had a single-root digital ID on their phone and the majority of services don't currently accept one. But there have been known to be vulnerabilities in various hardware security modules, some of them remotely exploitable. It's a bad assumption that no one will ever find another one.

And the problem isn't just the scale, it's the scope. Even Apple had a Secure Enclave vulnerability, which was reported to require physical access, but sometimes the attacker has physical access. And then it's not that you can access the bank accounts of millions of people, it's that you can access all the accounts of anyone whose phone you can steal because you've put every egg into the basket of that single ID. Which the attacker can then use without showing their face in a physical place.

There is no that.

That's my point. That is the law against giving false information on an application for government ID, which isn't any more effective than a law against giving false information on an application for a bank account, and shouldn't be necessary on an application for phone service or similar.

I don't know of any banks that let you bypass identity verification because you lost your credential. You have to go get a new credential.

You did the identity verification when you opened your account. They generally don't need to see your ID again. They were going to send a new card there anyway because the cards expire every few years and they automatically send you a new one.

Fun fact, phone companies are now requiring ID verification via state issued credentials to make changes to your account.

Not because they care about your name, because they don't want attackers stealing their actual customers' phone numbers and digital credentials can be stolen remotely, so they resort to physical ID. Making the government ID a remotely stealable digital credential is not solving their problem.

Nobody cares if the human uses a user-agent software to browse the web.

You don't want players using bots to play your game, so you say captcha to continue if they play suspiciously well or suspiciously long. Asking for ID doesn't work because the bot can present the human's ID.

You don't want Archiveteam scraping your site, but they have many volunteers willing to each run a slow crawler from a separate IP and it's hard to distinguish the bots from real users, so you use captchas. Using IDs instead doesn't work because each of the volunteers has a unique ID.

Company wants to use AI marketing bots in the same way as they pay astroturfers, but now instead of paying $1000/month they pay 100 times as many people $10/month just to use their ID. Each bot gets an ID, and the bots aren't conspicuous so they don't get banned quickly, they just post a lot of 20th percentile-quality content and really love that company's products. If anybody's ID gets banned the company replaces them with someone else. There are a million people willing to take a ban from a site they don't use in exchange for a little money.

Lots of people currently use captchas in places where asking for ID wouldn't do any good. Rate limiting by ID overlaps heavily with rate limiting by IP address.

All these things are enabled by a lack of scarcity in identity or anonymity (two sides of the same coin).

These are not at all the same thing. You can get access to a large number of unique identities with a relatively modest amount of resources, and demanding ID won't be effective for anything requiring more of a deterrent than that. Conversely, you can rate limit based on anything scarce, not just ID.

Having users post a bond is particularly effective because you can make the amount scale with how aggressively you need to deter bad actors, and it's technically possible (though not currently convenient) to do this anonymously.

You can also rate limit by reputation by using vouching systems etc. etc., none of which requires the person doing the vouching or the person being vouched for to be using the same identity on your site as they use in any other place.

Because strong identity is scarce, you don't get to make up accounts for a bot and then just roll a new one when that bot is banned. You get one shot and if you blow it and don't play by the rules your account is banned, your spam and abuse potential is now zero instead of one.

This is what I mean by creating new problems. What do you do if you get hacked and then banned from everything? It's one thing to lose a $5 deposit or have to start over with a new account on one service, what do you do after your ID gets banned from all social media and every major infrastructure provider in a consolidated market? Tying everything to one root is bad.

If you're being targeted by your government then you can't use systems with strong identity anyway (whether it's form the 20th or 21st century isn't important), so it's a moot point. You can't use banks with KYC because all your accounts are frozen or being watched. You can't communicate using government regulated comms channels.

There are different levels of being targeted by the government. If your abusive ex is a cop, you need to be able to operate under the radar so they can't find you. That doesn't mean they can have your bank account frozen without raising red flags, so you can still go to the bank to get enough cash to run away.

If you don't like yours then move elsewhere or yes reach for true anonymity and operate beyond the pale.

In general we try to improve the government, e.g. by increasing the ability for the public to maintain their anonymity. Especially when that country is the US and the US is the country preventing other countries from e.g. providing their citizens with an anonymous bank account. Where are you even suggesting someone go? Sealand?

Nooo. Trust is not rooted in your address. It's rooted in presentation of a birth certificate and residency documents to a government agency. Only after you attest to your name and bind your name to an address is an address trusted.

A birth certificate is just a piece of paper with a name on it. They have no way of knowing if that's your name. No authentication is happening there.

This stuff isn't based on cryptography or signature verification or anything. It's based on it being a crime to lie about it in particular contexts, which deters people from doing that. "Attesting to your name" is something you could do just the same to the bank. All you have to do is make it illegal to give a false social security number to a bank and you have the same level of security as you do to get the government ID.

Any system where I can't just make up arbitrary details about myself is to be destroyed. Okay that's practical.

Being made up is where names come from, and people don't have a single name. Married people often change their name and carry on using both of them in different contexts.

A particularly relevant example is stage names. Their name in the credits isn't the name on their mortgage or in their high school year book. They'll use their stage name for a social media account. Using their other name is dangerous because if their social media account gets hacked, the name on their mortgage gets out and stalkers show up at their house.

This is as true for minor celebrities as major ones, if you do certain kinds of work or discuss certain kinds of topics, so those people need to use a pseudonym on the internet. With no way for anyone to tie it to where they live. Even if they're not famous enough to have Big Tech CEOs in their address book.

fantasybroker
7 replies
2d1h

Personally, I like the idea of hardware-tied auth (phone/FIDO2 key), that could work for me eventually. However, I am also one of the "anon-in-the-ether" people and don't want a permanent identity on any public service.

A permanent identity comes with many additional mechanics, far beyond just a stable identifier. The biggest one is post karma (including likes): IMO it's at the core of almost everything what's wrong with the modern web. It introduces vile personal and group incentives and leads to an eventual destruction of any honest conversation. While this mechanic exists on public forums, I won't use a permanent identity.

pseudalopex
5 replies
1d20h

Stable identifiers were common decades before karma or likes.

fantasybroker
4 replies
1d20h

Yup, I used to use them back then.

pseudalopex
3 replies
1d19h

You said stable identifiers come with karma and likes. But you know they come without also.

fantasybroker
2 replies
1d19h

I mean - yes? I understand what a stable identifier is. Having a unique user ID in a database doesn't magically enable likes on all features. But for the purpose of this discussion I limited my opinion to "public services", i.e. services with a social aspect, which overwhelmingly have this mechanic (to such an absurd extent that I can "like" payments made by people I don't know on Venmo).

pseudalopex
1 replies
1d18h

I understand what a stable identifier is.

You do not understand what core is apparently.

fantasybroker
0 replies
1d16h

From what I understand "core" is a central part of a fruit.

dcow
0 replies
1d8h

I’d challenge you to live life without a government ID, and without giving your phone number to any “public service”. I’m sure we could be more private than we are, but you aren’t going to get far without your permanent ID.

pc86
6 replies
2d1h

I definitely don't consider myself a "privacy schooler" (whatever that means) but government-issued ID credentials tied to "self-sovereign wallets" (whatever that means) sounds like a, pardon my french, absolute fucking nightmare. But agreed with your other point that we'd probably stop giving ID up as easily if that was the cost of recovery.

riffraff
5 replies
2d

You have government issued id credentials tied to government controlled bank accounts and cards, a wallet per se would not change much.

xerox13ster
4 replies
1d23h

Those are not signifiers for my entire digital life and allowing them to be a single trackable signifier online gives corporations and governments carte blanche to track every movement we make online in perpetuity, forever once that cat is out of the bag.

It will be worse than the WEI framework in terms of restricting access to a certain class of people. If you're already disadvantaged and don't have the ability to provide documents to the DOL proving who you are, how are you supposed to get access to your online identity again to get into a mail account and try to apply for work or housing?

Imagine someone steals your real world wallet and gets your online identity credentials, goes posting revenge porn and crypto spam and gets you booted off every platform. You get cancelled and lose your job because your online identity is tied explicitly to meat space and the court of public opinion operates on guilty even after proving innocence.

Meanwhile you're trying to recover your life--social, physical, and digital--, but can't get into any platforms online. None of your accounts work anymore. You can't access your backups, or get into your contacts because your device is no longer trusted because it's tied to a blocked Microsoft/Google/Apple account. You can't access your house because your IoT security is tied to your online accounts which have been disabled. You can't access your physical documents safe. You have to break into your house. You can't scan the QR code or NFC to verify identity after providing the alarm code. Police come, and arrest you because you can't prove who you are. You're crazed about your situation, babbling because of the insanity of it all and look like someone trying to steal a nice homeowner's documents.

I realize that's a pretty extreme Black Mirror level example a bit like Nosedive, but it's in the realm of possibility if we go down that route knowing that corporations are already trying to do device attestations. Maybe you'd have the prescience to have a physical security layer 0 for your IoT security, but many products people purchase won't because having to carry a key defeats the purpose of having the tech solution.

The scary enough reality is that if there is a single government provided signifier for an individual online, we will inevitably see sweeping tracking and censorship. They do as much as they can possibly do now. Why on Earth would anyone ever think they wouldn't do more?

No, thanks.

dcow
1 replies
1d8h

Entirely unfounded FUD!

Wallets wouldn’t just let some random thief access all your credentials. They have safeguards like biometric TEE unlock. If you’re being targeted by someone who can get past that, then they could do equal damage with your physical drivers license. Nobody is going to drive by swipe your phone, bypass biometrics, and access your wallet just to post revenge porn. Give me a break!

The way you fight companies trying to do device attestation/profiling is to provide a system that meets the current needs but controls structurally the philosophy around what you’re identifying (user, not device). And you legally limit behavior, not technically. I am sick of losing every nice thing we had because some privacy wanker says “oh that’s a persistent identifier better neuter it”. I want well regulated identifiers that I control judicially and around which there is a clear legal framework preventing abuse. I don’t want a world where I can’t manage my kid’s phone on my home network because some tin foil hat at Apple decided to change the device’s mac address every day “for privacy”.

xerox13ster
0 replies
1d

I don't think changing the device MAC idea is a good one either, I just don't want my online identity permanently tied to my meatspace identity because I might say things that a future government takes issue with, and if I am tied by government control to my online identity and rules change, my meatspace life gets fucked forever.

riffraff
0 replies
19h9m

Those are not signifiers for my entire digital life

neither would a wallet, "only allow access with government issued ID" can be done (and _is_ enforced for some things) independently of central-bank-issued wallets or government IDs. They are just orthogonal things.

Most of the EU has had access to electronic IDs for years, but they are not used to log in to hacker news, and there is no reason to expect them to ever be.

CatWChainsaw
0 replies
1d21h

You call that an extreme example, but I say "watch that happen by 2030 at the rate we're going". It's rather frightening how so many people on Hacker News either are completely unaware that this is a thing that any party of power wants to be able to do, or think that society wouldn't let it happen, even as parties in power remove all means of leverage against them.

jml7c5
4 replies
1d22h

Passkeys aren’t device-bound. I think they’ll work just fine.

Is there anywhere to follow progress on this? I don't think anyone actually implements import/export of passkeys yet.

rdl
3 replies
1d22h

Don't they work pretty portably within Apple iCloud keychain or Google equivalent (but only one)? I think some of the legacy password managers are supporting this as well, although my preferred self-hosted vaultwarden option doesn't yet (bitwarden has support, but I don't think it is in the self hosted version yet, let alone in vaultwarden)

There are ways to set passkeys as non-exportable from device I think but that is not the default.

pseudalopex
2 replies
1d20h

Bound to devices chosen by Apple or Google is device bound.

What does legacy mean to you? The usual meaning of outdated is inapplicable in this case.

rdl
0 replies
21h31m

Device bound is to a specific piece of hardware (whether it supports reinstallation at some level is debatable but I wouldn't use the term for it; Signal is essentially single-concurrent-device-limited even though it has migration capability, but since it can be exported, it's not truly device bound. Apple, Google keychain lock-in is vendor or maybe account lock-in, not device lock-in. "Non-exportable" keys from a secure enclave make it device bound, although a sufficiently functional reprovisioning process might make that only a technical distinction.

Passwords are "legacy" security technology at this point (in the sense of being outdated and bordering on obsolete, and yet still needing to be supported) -- password managers are tools to manage that legacy technology.

dcow
0 replies
1d8h

No it’s not. At least that’s not what anybody in the security community means when they say device bound. Device bound implies the key is cryptographically tied to a piece of unique physical hardware.

mooreds
1 replies
2d

Passkeys aren’t device-bound. I think they’ll work just fine.

Depends on the implementation. Some passkeys are device bound. The free ones, typically. Unless you trust Apple and Google to preserve and protect private keys.

dcow
0 replies
1d2h

WebAuthn can be device bound. A Passkey is webauthn with nil authdata.

CatWChainsaw
0 replies
1d21h

Sorry, how are passkeys not device bound? Every single article I read explaining why they're "better than passwords" touts precisely this as a strength - your authentication takes place on device, so there's no server of passwords for anyone to hack. If you lose the devices your passkeys are paired to, you've locked yourself out of that account for good.

j45
29 replies
2d3h

It’s useful to have your own domain with your own email so it stays with you as long as you like, beyond work emails.

Being a tolerated guest who pays little to none in someone’s servers is another issue.

Most large email providers are more like digital identity providers, and being a citizen of one of these big digital countries is neither democratic or setup for your long term preferences.

dotancohen
22 replies
2d3h

  > It’s useful to have your own domain with your own email
Until you've forgotten to renew, or were to sick too renew, or the domain is hijacked. I've had my domain for over twenty years, and I've come way too close to losing it at least twice.

solotronics
8 replies
2d2h

Is there a way to actually "own" your domain instead of paying registration fees every year?

lolinder
5 replies
2d2h

You can pay ahead up to 10 years, which helps. Get in the habit of adding time every year, but you can miss up to 9 in a row before there are any problems.

_rm
4 replies
2d2h

This, if you can't keep a domain registration current despite the 10 year max length, domains aren't for you.

saagarjha
2 replies
2d1h

People who have been incarcerated?

xoa
1 replies
2d

Kind of an odd example in this context? Someone who is incarcerated for that length of time is liable to lose any property they fully own anyway given the kinds of monetary damages that tend to go with it. And physical property isn't trivial to have kept up for a decade away from it in jail either is it? The only way that happens is if they have it legally isolated from them and someone else who can/will be a caretaker, and in that case said person could easily renew a domain as well. If anything domains would relatively speaking seem pretty easy there, no matter what jurisdiction you're under there are domains to be had that are under a different hostile jurisdiction, there are registrars that will accept cryptocurrency payments, and costs are relatively very low. Auto-renew from a private bitcoin wallet for $10-20/yr on the face of it looks more sustainable and feasible to have work and survive court judgements following a serious felony. And during trial there is time to prep.

Nothing is perfect and the domain situation is really far from perfect, and it doesn't hurt to consider edge cases. But the Venn diagram intersection there of someone who cares enough to have custom domain that is critical, commits a serious felony, considers having the domain after release a key priority, isn't legally barred from it, and doesn't or can't take any steps towards it, seems kinda small. In that case maybe indeed "domains aren't for you" but that doesn't really take away from its use to the rest of us.

saagarjha
0 replies
1d21h

I think you would get a confluence of many of these when looking at computer crimes, because often a condition of the sentence is being unable to use a computer (and, to some extent, a lot of people who spend time on computers lack physical people in their life who can step in to help out in situations like these…)

jbverschoor
0 replies
2d2h

Tell that all SSL cert holders lol

j45
0 replies
17h34m

The system is more like leasing/renting instead of owning.

The impermanence of which isn’t the greatest.

j45
0 replies
2d2h

I think there’s a few rods that are free to cheap. .cx comes to mind for some reason

anonuser123456
4 replies
2d1h

Most registrars let you prepay. I prepay mine by 5 years in advance, and have a reminder to refresh it yearly. It also is setup to auto-renew 3 months before expiration so if the charge fails… you have 3 months to fix it.

dotancohen
2 replies
1d23h

And I just finished almost three months of emergency military service and my credit card was just cancelled before due to my own mistake. Had I been two weeks into that three month window, I would have missed the renew date.

mixmastamyk
1 replies
1d23h

Even after the reg term expires there’s typically a grace period before the domain is unrecoverably recycled. Find a registrar with good policy, though some things are regulated by internet orgs.

dotancohen
0 replies
1d22h

Yes, thanks.

j45
0 replies
17h35m

This is a nice approach.

Having too many active domains can be a pain tho

input_sh
3 replies
2d3h

Or you decide to change the domain, but are too lazy to change the email address... everywhere, so you end up paying for 2-3 domains instead of one just for the email redirects to work.

dotancohen
1 replies
2d3h

Or you have financial troubles and no credit card just as you need to renew...

A more permanent way to buy - not rent - domain names would solve many of these issues. And changing ownership of domains should be just as difficult as changing ownership of real estate, the only people benefiting from the current ease of changing domain ownership are speculators.

j45
0 replies
2d2h

There is at least one domain tld selling “lifetime” domains.

I’m not sure why icann wouldn’t let anyone pay for 10-50 years for a domain.

j45
0 replies
17h37m

Domains can be decommissioned once no emails are coming across them, which can be reasonably tracked.

I had no idea or time to figure this out and luckily we weren’t the first to come across this :)

EVa5I7bHFq9mnYK
1 replies
2d1h

I had my own domain for many years until the email provider of the admin email for the domain (openmailbox.org) decided to shut down. Bye bye my domain.

j45
0 replies
17h35m

A good reason why no one should use an email address from their internet provider’s domain, can’t leave.

j45
0 replies
17h38m

This is a fair concern.

I think it could be something to start seeing instead like not paying a cell phone bill.

j45
0 replies
2d2h

Being able to move your domain between any email hosting provider remains valuable.

A domain that important is worth putting multiple recurring yearly calendar reminders up.

An email serving your identity is probably worth a bit more investing in.

It’s possible to leave a credit card on file to auto renew, renew for maximum years at a time, And lock down the domain enough to prevent hijacking.

fauigerzigerk
4 replies
2d2h

It would be so much easier for normal people if all service providers allowed you to add multiple email adresses or other aliases to the account.

You can easily lose access any particular email address, even if it's on your own domain. Losing access to all your email addresses and phone numbers at the same time is far less likely.

cassianoleal
3 replies
2d2h

You can easily lose access any particular email address, even if it's on your own domain.

In which scenario would this happen, except for loss of ownership of the domain itself?

fauigerzigerk
2 replies
2d1h

I'm not aware of any other scenario, but losing a domain is easier than you may think.

For instance, my main email address is on a domain that is now owned by my company (it wasn't originally). If I ever sell the company, I lose access to the domain as well. My wife's email address is on that domain too.

cassianoleal
1 replies
1d23h

Right. Yeah I know it's not hard to lose posession of a domain. I probably misinterpreted your comment when I thought you meant losing a specific email address but not the domain as a whole.

my main email address is on a domain that is now owned by my company

I never mix work and private. My email addresses on my company's domain are for work-related things only. If I ever sell or close the company, it doesn't matter. I own a separate domain for personal email.

fauigerzigerk
0 replies
1d21h

>I never mix work and private.

That's definitely a good idea. My company sort of emerged from a personal activity and things got mixed up. If I could do it again I would handle it differently, but you know, life's twists and turns... :-)

rixthefox
0 replies
2d2h

Came to the same conclusion myself.

The only “safe” email host is the one you run yourself or pay for with actual dollars, not data.

The hard part is taking your second paragraph to action. Most people are not ready for that conversation because the major freemail providers have been in service for such a long time that most people really can’t grasp the concept that email is something you have to pay for.

I really blame a lot of that on Google from the very beginning. Gmail, and essentially all free mail providers, are what they are today because of the precedent Google set and the only way companies were going to be able to compete with that was to also make their email services free.

api
24 replies
2d3h

I usually dislike the idea of inviting government into this space, but if there's anything that governments have traditionally done decently well and should do (it's usually within their mission statement) its identity. Passports are really the primary identity layer of Earth.

Ideally in a perfect world we'd have governments run OIDC systems similar to the US login.gov and these would delegate from an international master OIDC system at the UN. Everyone would have their citizenship passport ID and their UN ID, and the latter could serve as a "break glass" master key to support immigration and also limit the ability of countries to "digital death penalty" people.

I can think of some dystopian outcomes here, but IMHO they are not worse than the dystopian outcomes that come from corporate monopolist control of digital identity. At least in democracies one has some nominal influence over one's government and the latter is bound by the rule of law, and if you don't live in a democracy you can (or should be able to) leave.

You're right that identity is hard, and I think most of why it's hard is human rather than technical. One could create a decentralized identity layer from a block chain fairly easily but people would lose their keys etc.

buro9
5 replies
2d3h

Governments do a bad job here, not a good one.

They restrict people to a single immutable identity, that may not conform to other governments, that may not accommodate different languages and character sets, that are not flexible of gender, that do not reflect relationship types that aren't typically monogamous... the list goes on.

They offer a poor base implementation that is only sufficient due to the legal identity seldom actually being needed online. Which is a good thing, because identity theft would be so much worse if that was everywhere.

In the UK we don't have as fixed an idea of an identity as people think, Cherie Blair is also Cherie Booth Q.C. , Elton John is also Reginald Dwight, and for both people, both identities are real identities and sufficient to get bank accounts in the name of, it's only when it comes to a tax record and passport that you are reduced to a single identifier, but who is to say that the name on that is the preferred name of a person?

My bank account, bank card, accounts on most of my things, do not match my passport and birth certificate.

api
3 replies
2d3h

The alternative is corporate monopolist control, which is what is developing right now with OIDC where Google can "digital death penalty" you and lock you out of your life. The biggest realistic risk is this happening "accidentally" because some stupid bot at Google or Microsoft decides you are violating ToS, and since these companies have basically zero tech support it takes you weeks to unlock your account if at all.

I don't actually like governments owning the identity layer, but then again I am of the "necessary evil" school of thought regarding most of what governments do. It's marginally better than having corporate monopolies own it.

I'm a giant fan of decentralized identity, but there are two insanely hard problems with it:

(1) People lose keys, forget passwords, or get them stolen. They also lose or break security key hardware. I've heard stories of people paying people to actually excavate dumps to find lost Bitcoin keys for example.

(2) There's a chicken or egg problem of getting sites to support any decentralized login scheme without a monopolist like Google pushing it, and the latter have no reason to do so since they want to monopolize the identity layer.

Problem (1) is solvable to some extent by having companies that escrow keys for you. Escrowing with them would not be mandatory but they'd offer a "break glass" service for people who are willing to trade a bit of (potential) privacy for it. A good escrowing service would have a terms of service that forbids misuse of your identity.

Problem (2) is probably harder. Big tech will actively refuse to support any system that doesn't hand them a monopoly or at least an oligopoly.

BTW this is one area where cryptocurrency could have found an actual bona fide beneficial use case! But it's not as profitable as running scams and casinos so nobody did it.

swells34
2 replies
2d3h

This whole discussion seems to revolve around "Who will be the central authority, the permanent and unwaivering center of trust?". Really a good time to bring blockchain into the discussion, as this is actually something it's kind of designed to handle.

buro9
1 replies
2d2h

That's a tool, it still leaves open the question "Who will be the authority to determine what changes to allow to the blockchain?", the problem was not solved by introducing blockchain, you just changed the question slightly whilst adding a dependency that wasn't required originally.

api
0 replies
2d

Moreover proof of work can't work for non-currency use cases because it requires an incentive structure for the game theoretics to work.

bluefirebrand
0 replies
2d

They restrict people to a single immutable identity

This is a good thing because this is what people have, one single immutable identity.

What you've identified are problems with assumptions about the relationship between various things and identity.

A key one is the relationship between name and identity. Two people can have the same name but aren't the same person. A person ca change their name but they haven't become a new person.

I can do anything I want to myself honestly. I can color my hair, have a sex change, lose weight, gain weight, have height augmentation surgery, get piercings grow a beard, change my name, whatever, but I'm still the same person. That is immutable. I still have the same mother and father, the same birthdate, lived in the same places, attended the same schools, studied the same things, etc.

My identity as far as the government is concerned is still tied to a single number. Yeah, they make it hard to change a lot of the other stuff related to that number (for good reason), but ultimately they are pretty good at knowing who I am based on that number.

vlovich123
4 replies
2d3h

I don’t know. I wouldn’t say that governments do identity better than anyone else and adding more dependency on it just increases the value of the government ID making it an even more lucrative target to steal/forge.

Fake ids are a thing and the quality depends on how much you spend. Governments also have reasons to lie about identity themselves (think spies).

A true identity solution means being able to cross reference your identity across multiple entities (federal government, state and municipal, employers you’ve worked for, businesses you’ve interacted with, etc etc).

fragmede
3 replies
2d2h

I'm sure there's a criminal underworld where you can just buy a passport to get you into a country, but for the average person, passports are really hard to fake, which makes them good enough as identity for logging into your average dog photo sharing site.

maxcoder4
2 replies
2d2h

Why would I want to log in to a dog sharing website using my real identity? Maybe I'm an outlier but I really value the pseudonymity possible thanks to the internet. I can share as much or as little about me as I want, and the dumb things I probably wrote when I was 14 are not immortalized with my name next to them.

Cyberdog
1 replies
1d22h

A dog what web site?

CatWChainsaw
0 replies
1d20h

They said dogs, not cyberdogs, so you might be safe?

logifail
3 replies
2d3h

Passports are really the primary identity layer of Earth.

Umm, I'm not they're not that great as a primary identity either.

One edge case is that you can have have more than one valid passport for the one nationality. Another is of course that one can have more than one nationality.

paganel
1 replies
2d2h

Also, passports become useless once your government actively turns against you, see the current fate of adult Ukrainian men still residing in Ukraine.

The same thing risks happening with this government-approved online identity, I mean, how will the EU bureaucrats “handle” people like me that are openly against the West’s take in Ukraine? Will we get our accounts banned from posting pro-Russia content online?

logifail
0 replies
2d1h

The same thing risks happening with this government-approved online identity [..]

Don't forget the Covid QR codes.

api
0 replies
2d3h

I have a Google, Apple, Microsoft, and GitHub OIDC account among others. That's a feature not a bug.

TimedToasts
3 replies
2d3h

It'll be a cold day in Cupertino before I accept a UN ID.

I'll reconsider once the corporate death counts begin to match the governmental ones but until then I'll take my chances.

gossamer
2 replies
2d2h

The temperature in Cupertino is currently 50F. That probably doesn't meet your definition of cold though.

saagarjha
0 replies
2d1h

A bit chilly.

bigstrat2003
0 replies
2d1h

That is unironically shorts weather.

t_mann
1 replies
2d3h

We'll know soon, something pretty close to what you're asking for is about to be rolled out in the EU: https://commission.europa.eu/strategy-and-policy/priorities-...

paganel
0 replies
2d2h

Fortunately that will be another nail in the coffin for the EU, at this point they’re just throwing the proverbial excrements at the wall and seeing what will stick. That’s how you get parties like the AfD at more than 30% of the vote (the NSDAP themselves were just a little over 30% too in early 1933).

tim333
0 replies
2d2h

60% of Americans approx don't have passports. In India about 93%. It's not an ideal solution to logging in to your website.

Also in the UK various government types have tried to bring in national ID and the people rebel. People eh?

sureglymop
0 replies
2d3h

I think it's not a good idea. What if, due to unforeseen circumstances, you become homeless and passport-less?

klabb3
0 replies
2d1h

Everyone would have their citizenship passport ID and their UN ID, and the latter could serve as a "break glass" master key to support immigration

Immigration doesn’t work that way. You don’t lose or transition from one identity federation to another. You maintain both, typically for the rest of your life.

My personal wishlist is that decision makers and designers of identity systems must include people with real world experience of multiple nationalities, tax residencies, migration and so on.

Currently, these systems are already built on false premises and immigrants suffer a lot – not only because of malice but to a large extent because the bureaucrats didn’t think like security-minded engineers. The edge cases are extremely important when it comes to identity, because identity is required for a lot of basic needs. As the world is become more globalized, these issues are a lot more prevalent.

and I think most of why it's hard is human rather than technical

Yes but I don’t see why that’s so surprising. It’s the identity of humans that’s the problem.

FWIW I think email is fantastic as identity, compared to the abysmal state of the alternatives. It doesn’t change when you cross a border like phone numbers. It’s not perfect when it comes to self-sovereignty and account recovery.

emilfihlman
17 replies
2d3h

This is just not true.

There absolutely is a good identity, and it's one provided by countries.

BrandoElFollito
6 replies
2d3h

How do you imagine using that? Having an API for each country and each returning different data? With a 10% adoption?

If my country did not like your country I will not be able to connect to your stuff?

A never ending must of problems ahead.

superjan
2 replies
2d3h

Well the argument not that it it readily available, but that most countries do have an administration of their inhabitants.

ForkMeOnTinder
1 replies
2d2h

So instead of "There is a good identity", GP should have said "There are about 200 good identities around the world, but if your country happens to not have a single unified ID system you're out of luck"

BrandoElFollito
0 replies
1d22h

There are 200 good identities in the world with an authentication system closed outside the official entities.

I have never seen any endpoint for the general population that can be used to authenticate a citizen

maxcoder4
2 replies
2d2h

Doesn't it kind of already exists for passports? I can travel with my passport to (basically) any country on earth, so there must be some international support for this.

zirgs
0 replies
1d21h

Good for you, but, for example, Israeli passports are not recognised by many countries as legitimate.

BrandoElFollito
0 replies
1d22h

The format of the data on a passport is unified (https://en.wikipedia.org/wiki/Machine-readable_passport) but the problem is to make sure that the one who presents this string of data is actually the one it belongs to.

kijin
1 replies
2d3h

People get new citizenships. They often lose their old citizenships, too, often deliberately for tax purposes.

zarzavat
0 replies
2d1h

The most common reason people lose their citizenship is that they take on a second citizenship and the first country doesn't allow dual citizenship. This means that citizenship limbo exists where you have legally lost your citizenship but can still benefit from it until the first country finds out. Some countries forbid dual citizenship but don't enforce it so people end up in this limbo for the rest of their lives.

There's also a large number of stateless people who don't have citizenship at all.

There's also people who are not technically stateless, but cannot return to their country or obtain any identity documents from it.

buro9
1 replies
2d3h

maybe you are in Scandinavia, but many countries do not even have a centralised register of births, deaths, marriages... and so they do not have a centralised and canonical record of identity of all people in the country.

dfox
0 replies
2d2h

For example Czech republic has central register of all residents. The register is intentionally designed so that it does not provide any kind of identifier that is both long-term stable and globally meaningful (there is a number called RČ broadly equivalent to NIN in other countries, but it is not supposed to be used since 2010).

Conceptually there is ZIFO (Basic ID of natural person), that should be globally unique, but this is known only to a subcomponent of the central registry that is run by different govarnment entity than rest of the system. At same time the design of that subcomponent contains provisions for allocating new ID, mainly for handling the cases when that ID was allocated wrong (both multiple IDs for one person and multiple persons sharing same ID), so even that is not necessarily stable ID.

Users of that data refer to persons using AIFO, which is specific and meaningful only for particular database (called AIS) and if different databases need to identify particular person as having the same identity they have to call the central translation subcomponent (the API surfaces are designed such that the translation the calling system will not get the result of the translation, which is only sent to the destination system). Even that the AIFOs are meaningless, they are required to be not disclosed to anybody. Alternative IDs that can be used are broadly serial numbers of government issued identitty/travel documents, but these are necessarily both revocable and have limited time validity (the aforementioned technically deprecated RČ is essentially a special case of this).

I believe that this design comes from some pan-EU initiative related to GDPR. For example according to Wikipedia Austria uses broadly similar, but less fine-grained system.

This has interesting issue with regard to things like eIDAS as there is no sane ID that could be included in the qualified personal certificate. One Czech QCA (PostSignum) does not include any kind of personal ID in its personal certificates, second one (I.CA) can optionally include the serial number of identity document that was used for identification. Apparently you can get Swedish qualified certificate that includes Czech RČ in its CN form Zealid. You are supposed to register your certificate into the resident registry yourself, which creates the link between the certificate and your identity. The slight issue with that is that there is no sane way how a third party outside the architecture of these registers can validate that link (you can send them a signed PDF with your data from the resident register, which is apparently what you are supposed to do, but "sane" would look different).

ben_w
1 replies
2d3h

The UK has no formal universal government provided ID system. The UK does allocate National Insurance numbers, but those are specifically not to be used as ID in part because they don't have a face associated with them. Driving licenses exist but are optional, and need regular replacement e.g. when moving address. Names are something you can change on a whim for a bet. Passports have to be updated if your appearance changes significantly, and in any case you don't keep the same one if you change nationality.

lolinder
0 replies
2d2h

And you can basically say all of the same things about the US.

wlonkly
0 replies
1d18h

Sometimes, the country you are in changes even though you are in the same geographical location. I've had my email address for over a decade longer than the current countries of Serbia, Montenegro, Kosovo and South Sudan have existed.

tecleandor
0 replies
2d3h

Well, that if your contry keeps a lifelong unique ID for your person. And that's only till you migrate, I guess.

deruta
0 replies
2d3h

Then, however else you'd want it to be, states do come and go too, regions change hands...

azlev
0 replies
2d2h

Here in Brazil I have at least 4 different IDs :-).

MasterYoda900
15 replies
2d3h

What if every newborn received a chip implant under the skin (cryptographically unbreakable, unauthorized removal punishable by law), linked to a central government database with the chip’s unique identifier and a profile of the newborn’s DNA signature?

Joker_vD
9 replies
2d3h

There are reasons why SSN or its equivalents are unpopular as web identities. Can you enumerate those reasons?

tuwtuwtuwtuw
8 replies
2d3h

Where I live the SSN-equivalent is extremely popular as web identity.

Can you explain why it shouldn't be?

lcnPylGDnU4H9OF
6 replies
2d3h

Not sure about where you’re from but US institutions often treat the SSN as a secret which should allow account access. Which it’s not by design but nobody wanted to make a better system; it’s why banks have claimed that they are not defrauded by people and instead the fraudsters “steal identities”.

To answer the question more directly, it’s treating the identifier like a password that is problematic.

tuwtuwtuwtuw
4 replies
2d

Okay, but that is then about authorization and not about "identity". I agree that treating it as a secret is a bad idea.

The person said SSN and equivalents, so I guess it depends on what is meant by equivalents.

Where I live my personal number is used as identity, but to actually prove I am the owner of it another mechanism is used (private keys embedded in certs). The personal number is very public info by design and can't be used as a secret.

lcnPylGDnU4H9OF
3 replies
1d22h

If my web identity was my personal government tax identification number, I would be worried that one could use that to fraudulently and successfully claim to be me with a fair number of institutions because the authentication mechanism is lacking efficacy.

tuwtuwtuwtuw
2 replies
1d21h

Yes, I understand, but you mix up identity with proof of identity.

My non-web identity is my name. But me saying that my name is John Doe is not a proof that this is my name. In the same way, me saying that I have identification number 12345678 isn't proof that I actually have that number.

As I wrote, I have a government issued identification number. This number can be looked up by any citizen in the country since it's public info. You can even look it up online - it's not secret.

But someone knowing the number doesn't mean they can prove it is their number, because proof of identity is not in the number itself - for that we use public/private keys and other secure mechanisms.

I understand that this is not how it works in the US because some organization treats the SSN as secret. But that's not an issue with government issued identity number as a form of identity, it's an issue with the US system. Other countries does not have the same issue, since they didn't mix up identity with proof of identity.

Joker_vD
1 replies
1d21h

Many people don't want their online identities be easily connected to their offline identity (or even with each other). Hell, you yourself didn't register on HN with your G.I. ID's serial number for some reason, did you?

tuwtuwtuwtuw
0 replies
1d20h

Sure, but this specific part of the discussion was about it being a bad choice because "it’s treating the identifier like a password that is problematic", which I objected to.

I do agree that in many cases I would not want to use it as my web identity. (Those cases would also overlap pretty well with cases where I don't want to use my own email address, like when signing up for sites like this, reddit, Twitter and similar).

maxcoder4
0 replies
2d1h

Of course this is extremely stupid (basically using the "username" as a secret, something everyone in IT and itsec knows not to do). If we started using SSN-equivalent identifiers as online ID problem would solve itself because by then they're not a secret anymore.

In my country my national ID numbers are nowhere near as problematic as SSN on the US (from what I understand).

spacebanana7
0 replies
2d3h

Most consumer & enterprise web services are international, and making an implementation for every jurisdiction is burdensome.

There are also some ugly edge cases - what happens if somebody is too young to get a SSN equivalent (e.g NI numbers in the UK), or somebody expatriates, or if some government allows people to request a change to their SSN-equivalent, or if a customer is a refugee without an SSN equivalent?

I do think SSN-equivalent identifiers may be useful for services which are inherently for tax paying adults like some accounting/banking services or marketplaces.

Dan42
1 replies
2d3h

I can't believe such satirical gold is getting downvoted.

goodpoint
0 replies
2d2h

This is HN. There are equal probabilities that the post is not satirical and that the downvoters are not getting the sarcasm.

tim333
0 replies
2d2h

Not convinced that's a vote winner.

See for example UK id cards scrapped in 1952 and again in 2010

...very unpopular with the public, and was regarded as an alien imposition on the British way of life. https://www.politics.co.uk/reference/identity-cards/
nine_k
0 replies
2d3h

Some of the chips would malfunction or get destroyed in incidents. You still need an update protocol!

extrememacaroni
0 replies
2d2h

keep hackernews away from the newborns

newsclues
13 replies
2d3h

"There is no good identity."

Government has failed to adapt with modern times and technology and has failed to provide modern and secure identification and authentication services for citizens.

I log in with my bank credentials to access my government tax account, talk about a total failure to do your job from the people still using SIN as an important piece of identity for some of the most important aspects of life.

This is a solvable problem. Governments can adapt and use modern technology to provide identity and authentication services, but they do not.

In my opinion this is a failure to be responsible for core government services, and I can only speculate why.

azlev
3 replies
2d3h

It would be or a chaos or very limiting expect that companies would interact with a lot of govs to get authentication. It's way cheaper leave as is.

LocalH
2 replies
2d3h

"Cheap" should never be the driving factor for these things.

jethro_tell
1 replies
2d2h

That is, in fact, the purpose of government, to do the things necessary for a functioning society for which a profit motive does not exist.

azlev
0 replies
2d2h

Maybe I'm mistaken but China's super apps solve this problem with profit motivation.

NooneAtAll3
3 replies
2d3h

the last thing I'd want would be connecting every online personality to my real identity

newsclues
2 replies
2d

Your aliases don’t need to be publicly disclosed.

But the reality is that virtually every online identity is tied to a real identity, just with layers of obscurity added.

This hacker news was created with anonymous accounts but it still links back to my real one.

NikkiA
0 replies
1d21h

Every day I get dozens of 'your account was hacked and we used your webcam to record videos of you jacking off' bitcoin 'blackmail' spam to various accounts that have been either hack-harvested or the company went bust and figured selling all their user data was a decent golden parachute.

Just imagine if those accounts all had had direct and firm ties to RL identity stored with them.

FireBeyond
0 replies
1d23h

They don't, but they will be. If for no other reason than the concrete knowledge that somehow your alias on a site is verifiably connectable to person X will lead to a raft of abuses of the legal system to silence or harass people saying things someone doesn't like. And average sites aren't going to have the resources or will to fight this.

gsich
2 replies
2d2h

It's not a problem though.

Levitz
1 replies
2d

It's definitely a problem. Identity theft is way more common in the US than in Europe.

If it wasn't a problem the SSN system wouldn't be used in unintended ways.

gsich
0 replies
1d1h

Maybe. Still no need for the government to provide such a service to 3rd parties.

pzmarzly
0 replies
2d2h

Governments can adapt and use modern technology to provide identity and authentication services, but they do not.

At least in many EU countries, they are adapting. I'm a fairly happy user of Irish myGovID (OIDC) and ROS (X509 "sign this message with your private key" challenge), and Polish Profil Zaufany (I think OIDC or CAS?).

The issues I see are:

- Each country has its own system, some documented, some not so much, some use OIDC, some SAML, some something more obscure.

- As an individual who moved countries, you end up with multiple accounts.

- As a developer you cannot easily register your own OIDC app. Send an email to some ministry and hope for the best. If you aren't part of government yourself, you may be out of luck.

goodpoint
0 replies
2d3h

Identity is not centralized and therefore identification and accounting cannot be centralized.

mark-r
10 replies
2d2h

I once had my email change because my ISP was bought out. Absolutely nothing I could do about it. The old email was forwarded for 12 months, then cut off completely.

otteromkram
9 replies
2d1h

Did you use that time to update relevant accounts?

Not sure what the gripe is here, especially with a one year notification period.

saagarjha
3 replies
2d1h

It means you lose accounts that use the email address as your identity and don’t let you change it.

fshr
2 replies
1d23h

Can you give a couple examples? I can't think of any accounts that don't allow an email change.

saagarjha
0 replies
1d21h

Say, for example, systems that directly expose your email address as the identifier that can be used to reach you. "Send money to saagar@saagarjha.com [using our service]" kind of sites.

justsomehnguy
0 replies
1d14h

Not everything is a phpBB forum.

Also:

Select Google Account email. If you can't open this setting, it might not be possible to change your email or username.

If your account's email address ends in @gmail.com, you usually can't change it.

https://support.google.com/accounts/answer/19870

lapsed_pacifist
2 replies
2d

There are accounts which do not allow you to change the email the account is registered to.

fshr
1 replies
1d23h

Can you give a couple examples? I can't think of any accounts that don't allow an email change.

darinpantley
0 replies
1d15h

I changed my email address in ~200 accounts and only had trouble updating a few: BuiltIn, CPUID, Flickr, Kakao, JCrew, Nord, and Steiger.

After I contacted Kakao support, they asked for some documents. Then they called me to verify the details. A day or two later, they updated my online profile with an editable email field, so I was finally able to update my email address.

When I contacted JCrew chat support, they performed the update immediately and emailed me a temporary password from noreply@demandware.net.

Flickr and Steiger were also happy to help. TBD on the others.

So I can't think of any accounts that don't allow an email change either. But you might have to jump through some hoops.

pseudalopex
0 replies
1d20h

1 of the article's points was accounts must be designed to be updated.

mark-r
0 replies
1d21h

I updated all the accounts I could remember, but to this day I don't know if there were any I forgot. I figure if I forgot one, it must not have been important.

P.S. not a gripe, just adding an anecdata.

poulpy123
5 replies
2d

The oldest email that I can connect to is more than 20 years old. I'm not using it anymore but it's older than any of my phone number or physical address. I don't think we can do better, except with official indentifiers like I'd card or social security number

kube-system
4 replies
1d22h

I'd card or social security number

And even those change

lostlogin
3 replies
1d21h

And most the world doesn’t have them.

turquoisevar
0 replies
1d20h

Or won’t allow them to be recorded by private entities for privacy reasons even when they do.

szszrk
0 replies
1d12h

Because most world has a generic identity numbers for residents, not those related to social security: https://en.wikipedia.org/wiki/National_identification_number

FalconSensei
0 replies
1d

even if they did, your would change when you moved to another acountry

oooyay
5 replies
2d1h

I liked Discords old scheme where you had an email and a display name. Everyone had the numbers so they didn't matter. When they switched to unique account IDs I was kind of bummed, but I'm still curious why they switched.

sgjohnson
3 replies
1d23h

but I'm still curious why they switched.

Because it was trivial to impersonate someone. The old usernames supported full UTF-8, enabling a wide variety of attacks.

And by paying for nitro, you could choose the numbers too, so step 1. Find someone you want to impersonate, copy their username, and replace one character with a visually identical one, but a different one. Step 2 - pay for nitro, and choose the numbers too.

As usual, malicious actors are the reason why we can’t have nice things.

jrockway
1 replies
1d22h

I don't think they solved the impersonation problem. You can still look exactly like someone else, and you can only figure out that person X isn't who you think they are upon investigation. Most people don't investigate anything except the display name and profile picture, so are still vulnerable to impersonation.

As far as I can tell, this hasn't been a big problem in practice. Calls can forge caller ID. Emails can forge the From field. It's irritating but isn't exactly halting society.

I am really not sure why Discord made the change. Wanted to prune inactive users? Wanted to sell Nitro Super Mega Premium to jump ahead in line to get your username of choice? Just bored?

sgjohnson
0 replies
1d22h

You can still look exactly like someone else

But you can’t have a username that looks exactly the same anymore.

I’m in some 140 discord servers. The amount of spam from people impersonating someone popular has reduced drastically since this change.

I wouldn’t call “one click” an investigation.

forgotpwd16
0 replies
1d20h

So the change that mattered is dropping utf-8. Otherwise if was still supported all someone had to do is step 1.

Groxx
0 replies
2d1h

Yeah, same here. I thought it did a good job of resolving username conflicts without it really being an issue inside active social circles. Everyone can just always use their normal username, and it's only a minor friction when sharing your name outside Discord without a link or something.

renonce
4 replies
2d

What about domain names? Emails are bound to a domain name by definition, and indeed domain name IS designed as a good identity and can be used to host an email. See how domain names are owned by large corporations and trusted since day one and never lost, as long as you keep it carefully. It requires WHOIS information as the authoritative information of domain owner. An account based on username and password is what you usually need to access it, but if you are serious you can always choose a domain registar that is serious about keeping your domain name. It’s not free but it costs nuts compared to the cost of losing it, and let’s not forget that there is a cost behind hosting emails even if it’s given for free.

talldatethrow
3 replies
2d

I set up a Twitter account long ago with an email from a domain I used. I let the domain expire later, and now can't do the password reset because it's pointing to a domain that I don't own, and can't buy anymore. Basically lost forever.

renonce
1 replies
2d

You can buy a domain 10 years at a time. If you forgot to renew it one year ahead, the domain probably wasn’t important enough for you.

talldatethrow
0 replies
2d

Correct it was not. I let it expire. I forgot the Twitter account was registered with it. Later when I needed to relogin and couldn't remember the password, I couldn't do a password reset.

earthling8118
0 replies
1d23h

This happened to my primary Google account once and only by sheer luck was the domain available and I was able to recover the account.

I'm the only one to blame because I changed my password at 2 in the morning when notified that someone in another country used it. I didn't put my info into a password manager or remember it because I wasn't truly awake at the time.

When recovering I had to go through a bunch of steps and did great up until the email one. Well, Google was firm about wanting access to that email. Odd, considering the domain wasn't registered at the time of requesting a password reset and so I would consider it a security violation to accept that.

Needless to say, I am much more stringent on making sure this stuff is set up correctly now.

prepend
3 replies
2d3h

I think email plus a robust protocol for resolving changes works as good as can get.

For important stuff like banks and pensions they also have phone and physical address, so there’s a way to reconcile things like email changes, as rare as they are.

toomuchtodo
2 replies
2d2h

US example. Financial services orgs have your social security number. Perhaps they should be able to forward a message to the US gov to forward it to the citizen stakeholder through a government messaging delivery platform. This ensures continuity of communication but does not allow orgs to lookup emails with loose data governance (and all that leads to).

Login.gov is very good from a federal gov idp perspective, and I’m hoping it slowly develops into supporting a national ID and ubiquitous identity proofing to squash identity fraud but also streamline gov digital service delivery.

tacocataco
0 replies
13h32m

I'm surprised the USPS doesn't offer email addresses. Seems pretty in line with what they do.

_kb
0 replies
2d2h

This is very similar to what's happening with the Australian Digital ID Bill [0].

[0]: https://www.digitalidentity.gov.au/digital-id-bill

laserbeam
3 replies
2d1h

My understanding of the article is:

1. Use a guid-like value as your internal identifier. All internal references in your databases to a user should use that.

2. Use a second user friendly identifier for the user to login (i.e. Email). Feel free to rebind this if the user needs to change it. Keep a 1-to-1 relationship between the two.

pc86
2 replies
2d

That was my understanding as well but it doesn't really address sufficiently what to do in the case of, for example, the user permanently losing access to #2. Sure if I am making the decision to migrate from gmail to some other provider, I can self-coordinate transitioning in your app. But if I lose access and can't regain it through my own forgetfulness, or worse I get hacked, the easiest option still seems to be creating a new unique account.

withinboredom
0 replies
9h10m

That's true of any identifier.

I remember losing cell service after a storm, but the internet still worked. I couldn't login to gmail (~10-12 years ago when this was the only 2fa) because my phone couldn't receive text messages with the 2fa code.

Even if you lose all the keys to your house, you'll need to get new locks. If the locksmith who is going to let you into your house does everything by the book, they'll need you to prove you actually live there. I had a friend thrown in jail for a day because his ID, keys, etc. were lost in a kayaking trip, and was arrested for attempting to break into his own house.

My point is, there really isn't a good answer here. The platform equivalent to hiding keys in the bushes is printing out one-time passwords. That works pretty well, but also has its own drawbacks.

cpeterso
0 replies
1d22h

You could allow the user to add secondary email addresses or phone numbers to their account for account recovery, but then any of this becomes the weak link for hacking their account.

Solvency
3 replies
2d3h

they want to be able to choose non-unique ones rather than end up with user53267 or something inane.

Disagreed. I'm 39. I've known hundreds of people (HS, college, etc) and many close friends who willingly made email accounts like "brijacks85" (their birth year) or "sammichelson212" even when their actual names were still fully available on yahoo/gmail/hotmail, etc. I used to regularly create email accounts for these people using just their names and then ask "why didn't you just check your own name first?" and they'd usually just shrug with total indifference and never use the account I made for them.

mixmastamyk
0 replies
1d22h

When you get the simplest variation of a name on a popular site you’ll receive mail from all the mistaken folks who weren’t careful enough.

Similarly, I get a small fraction of the mail of a texas lawyer, because her email address string is a super set of mine, and some percentage of her clients don’t bother or notice the need to add the extra suffix.

buro9
0 replies
2d3h

Oh yes, some large number of people are incredibly habitual.

But some also large number of people are not.

ForkMeOnTinder
0 replies
2d3h

I'd never use an account someone else made for me either. Who knows if after you created it, you added some recovery questions or a recovery email or saved the login cookie or who knows what else? I'll stick with my fresh account made on my own PC through my own connection, thanks.

hibikir
2 replies
2d2h

My "favorite" of those email changes is the self-inflicted contractor postfix change. I've worked at places where a conversion to employee forces the creation of a completely new account, and lacking a simple, single permission systems, the act of converting means spending a good 3 weeks trying to get access to systems one had access the day before.

This is extra fun when the company in question does a lot of their business offering complicated accounts to customers, and has an external facing identity solution that deals with all of this easily: just not for their own workers, including those maintaining the external-facing identity system.

wlonkly
0 replies
1d18h

In a thread about email, "postfix" really threw me here! But I realize you don't mean the email server, but I'm not sure what you do mean.

BigTuna
0 replies
2d2h

just not for their own workers

The shoemaker's children always go barefoot

brewmarche
2 replies
2d3h

OIDC actually already handles this by requiring the `sub` claim to never be re-assigned and unique: https://openid.net/specs/openid-connect-core-1_0.html#IDToke...

Of course this means that an ID token should not contain an e-mail address under `sub`.

fauigerzigerk
1 replies
2d2h

So the identity provider could just generate this unchangable ID and let the user link any number of aliases to it, right?

uxp8u61q
0 replies
2d1h

That is what TFA suggests, yes.

flir
1 replies
2d1h

Multiple identities at the same time, too.

This is why I think email addresses are "good enough" - you can always spin up a new one for each identity you want to inhabit.

dcow
0 replies
2d1h

Some services explicitly want to disallow this so it’s actually an attack vector in that light.

esafak
1 replies
2d3h

People get married, people get divorced, people transition, people move culture and choose new names... names change, and so do email addresses.

Exactly the analogy I had in mind. email primary keys are "serial monogamy". Or if you want a mathematical analogy, piecewise constant :)

Mordisquitos
0 replies
2d3h

Speak for yourself, I'm an email polygamist!

BazookaMusic
1 replies
2d1h

Long lasting usernames across websites is the worst for privacy though, unless the username is not public. In general, it's best if the unique identifier is only known to the user.

Example: https://instantusername.com

I've seen quite personal details being leaked because sometimes even smart people don't realise how easy it is to cross-reference given a unique username.

dcow
0 replies
1d2h

This isn’t a technology problem. We just need to put our foot down as a society and make tracking as illegal as sexual harassment/assault and aggressively and visibly punish and shun companies that abuse you. There isn’t a technology that magically makes you safe for creepy internet stalkers.

zirgs
0 replies
2d1h

People dislike usernames, they want to be able to choose non-unique ones rather than end up with user53267 or something inane.

Google doesn't reuse usernames so if they are still around - in a few decades pretty much all unique usernames will belong to dead people.

sizzle
0 replies
1d5h

FaceID and touchID for iOS works pretty seamlessly nowadays for authenticating stuff e.g. mobile payments/banking, etc. and are pretty robust from being spoofed/hacked (uses depth sensor?). Why can’t we create some privacy agnostic universal FaceID to do away with passwords and usernames?

pests
0 replies
1d18h

Spotify let's you add separate login methods. I have my email+pw set up as well as login with Apple and login with Facebook. They all log into the same account and all have the same permissions once logged in.

I think it's a good solution.

kentbull
0 replies
2d

Have you heard of key event receipt infrastructure (KERI)?

It solves the identity problem with decentralized identifiers though the secret sauce is the fractionally weighted multisig for enabling multi-device signing and account recovery with key rotation.

See the specification for more details: https://www.ietf.org/id/draft-ssmith-keri-00.html

Or the whitepaper: https://github.com/SmithSamuelM/Papers/blob/master/whitepape...

ianburrell
0 replies
2d1h

Also, it is good to keep concepts of account ID, public username, and login username separate. By using random account ID, can change the other values. Most accounts want email but don’t have to make it user name. Or people have multiple accounts and makes sense to have email reused.

For login, it can help to have multiple methods. Then people can change from OIDC to password, or between providers.

Rapzid
0 replies
1d17h

Pretty much everything is moving to UUID of sorts including Google auth.

It's tricky because you often need to let people reference username/emails for mentions and etc, so you just have to index all of em and translate to UUIDs for references behind the scenes.

It gets extra tricky with APIs. Consider AirPlane.dev which let's you specificy approvers via email. Now a user changes their name and their email. Well, that "IaC" suddenly references an invalid email or worse a different user because jane.doe joined after jane.doe-brown got their new email.

user234683
21 replies
2d3h

What is the best approach to dealing with this problem as an individual?

Gmail? You might randomly get locked by some AI algorithm (or you might get banned!), or something else goes wrong, and there's no recourse.

Yahoo? I recently lost access to mine because they decided to start demanding verification with a deactivated email I haven't had access to for 15 years in order to login. Luckily, I had access in an email client, so I was able to migrate all the important accounts off of it.

Yahoo/AOL/Tutanota/Protonmail/Many others? These ones will auto-delete your account if you don't login frequently enough (not protonmail yet, but they allow it in their TOS)

Self-host? All self-hosting infrastructure requires an email in the first place. Lose access to that email, lose access to payment reminders, potentially your hosting account. I nearly lost my domain since the payment reminders went to an email that I rarely check because it doesn't support IMAP. And there is a greater increase of hacking unless you're a professional sysadmin and have plenty of time for maintenance.

Duo push? Your phone breaks.

SMS verification? Phone breaks, lose access to your plan, compromised employee gives your codes away, etc.

I've settled on using my university gmail address since (1) they promise alumni can keep it and (2) if something goes wrong with it (likely losing 2-factor by losing my phone), there is a good alumni support center. There really needs to be a human I can talk to somewhere. Still not sure if this is the best approach; am I still at risk from Google here?

Horffupolde
16 replies
2d3h

You are missing the best solution which is your own domain and hosted email like Gmail. If you get locked out like you said, “just” change providers and you lose at most a couple of hours of emails.

arp242
10 replies
2d3h

You can lose a domain though, so that's not perfect or guaranteed either. That said, it probably is the best option right now.

layer8
8 replies
2d1h

With domains on auto-renewal, unless you are with an incompetent registrar or there is some legal issue, you won’t lose your domain.

I agree that there should be some non-forfeitable right to a permanent personal domain though.

arp242
4 replies
2d1h

Credit cards expire so manual action will be needed at some point, contact details change, people can be in financial troubles and even the ~€10 can be a lot, people can be temporarily indisposed due to illness (ranging from cancer to serious accidents to mental illness), etc. etc.

There's tons of exceptional circumstances where people can lose access to their domain. Some TLDs have no grace period at all and it can be fairly easy to lose access. For others it's larger, but even there, it's not that hard to see how people can lose access for one reason or the other.

layer8
2 replies
1d22h

There are registrars that let you pay ten years in advance. And of course, you should choose a reputable TLD. Seriously, this is not a problem in practice if you apply a minimum of diligence.

arp242
1 replies
1d22h

Some reputable ccTLDs don't have grace periods, and there may be good reasons for choosing such a TLD. Ten years is not the rest of your life (I hope, anyway) and you certainly won't be able to use the auto-renewal from your previous comment after 10 years. Sucks to be you if you happen to be in a hospital at that time I guess.

Are the chances small? Sure. But some are also outside your control and apply "small chance of [..]" to a large enough population and before you know it you're excluding millions of people.

precommunicator
0 replies
1d13h

To increase your chances with that issue, you pay for 10 years once, and then every year extend it by 1 year, giving you 9 years grace period in the worst case scenario (I don't know how but my providers allowed me to even stretch it to 11/10 years). If you're in a coma for 9 years that puts you on Wikpedia list of longest comas, so not really an issue. And if falsely imprisoned for that long, I think you can arrange something within that period to extend it.

Horffupolde
0 replies
2d

You can open a trust to manage your domain and email service in perpetuity.

direwolf20
1 replies
2d1h

You are underestimating the potential for legal issues.

layer8
0 replies
1d22h

I don’t think I am. The statistical probability is very low.

bgro
0 replies
1d5h

No developer working on account authentication for sites has ever used the correct regex to parse and validate a legitimate email. I wouldn’t be surprised to see things like if you’re at anything other than @Gmail.com the email gets flagged as invalid. Maybe there’s a manual approval step here but better just flag your session as suspicious activity or failed bot check for the time being.

Or in the spaghetti parsing, obviously nobody is going to have swear words in their email. Go ahead and blanket ban all of that. And then @JohnsonAssociates.com gets banned.

I’ve also seen email parsing rules get applied to login screens too. So the valid email rules get updated and suddenly you fail validation trying to log into your already existing account. Ran into this today actually.

So having your own domain might solve some problems but you may still end up needing multiple accounts with devs refusing to use correct parsing rules.

diggan
0 replies
2d2h

Unless you're actively committing something that can be considered a crime in the jurisdiction of your registrar, you're unlikely to just loose it though. Unless you're hosting stuff at CloudFlare and they decide you're a "bad person", then anything goes.

user234683
3 replies
2d2h

Here's an additional problem with using your own domain: some websites (Discord for example) require you to contact support using the email tied to your account. Many corporate systems will reject emails from "untrusted" domains, so you won't be able to contact them.

Spivak
1 replies
2d2h

Many corporate systems will reject emails from "untrusted" domains

And by untrusted you mean everyone's work email that uses a bespoke domain?

pseudalopex
0 replies
1d20h

Probably they meant everyone not sending through a company too big to ignore. See any discussion of self hosting email.

phendrenad2
0 replies
1d1h

Many corporate systems will reject emails from "untrusted" domains

Source? In my experience as long as you follow basic email authentication protocols (DMARC...) you'll get through anything just fine.

layer8
0 replies
2d1h

This is the simple and best solution. As a side benefit, you can use an unlimited number of email addresses.

bobbylarrybobby
3 replies
2d2h

What about iCloud? I guess in theory they can ban your account, but at least with apple I feel like you generally have some recourse and can talk to a human.

layer8
1 replies
2d1h

There are two issues I ran into after setting up iCloud mail for someone else:

1. Apple’s spam filtering can be very proactive, and the only way to (allegedly) influence it is to move false positives back to the inbox. There are no settings to whitelist addresses (having them in Contacts doesn’t work reliably) or to turn off spam filtering altogether. As often with Apple, you have to accept their design choices of how they think stuff should work, and can’t do much about it.

2. If you’re transferring or forwarding emails from another account, Apple has a 20 MB email size limit while it’s 25 MB for GMail, which means there may be emails that can’t be transferred.

In any case, I would recommend having your own domain and choosing email providers that support custom domains. That way, you can switch email providers at will while retaining your existing email address(es).

Aerbil313
0 replies
18h13m

Afaik iCloud supports adding custom domains for your mail account, and I am currently looking at something called iCloud Mail Rules in the Settings with which you can apparently define custom handling rules for each sender.

CharlesW
0 replies
2d1h

Yes, this is what I do for precisely that reason.

Apple is a long-time, reliable email provider, and the transition from Google Workspace to iCloud+ custom domains was straightforward with `imapsync`: https://blah.cloud/miscellaneous/migrating-google-workspaces...

paulryanrogers
14 replies
2d4h

This is my experience as well. A random UUID is best IMO. Even a hash of the user's initial email isn't ideal since salting may not be enough, and others may assume they can safely hash any incoming email.

crabmusket
10 replies
2d4h

Is there ever a reasonable case for a "natural ID" like we were taught in database school? In my working experience, I always use either an autoincrementing integer or a random string / uuid as the primary key.

ryanbrunner
2 replies
2d3h

Sure, so long as that ID actually identifies the thing in question. Email addresses ARE a great natural ID for an e-mail mailbox. If you want to store a history of what e-mails a particular address has received, they're great. They are not a good identifier for a user since they don't describe the same thing, just two things that happen to coincide right now.

groestl
0 replies
2d3h

Email addresses ARE a great natural ID for an e-mail mailbox.

Not even then (at least not great). Companies change domains, primaries become aliases etc..

direwolf20
0 replies
2d1h

An email address is a great natural ID for an email address, but an address isn't a mailbox. Different addresses can go to the same mailbox, and the same address can go to different mailboxes based on filtering.

lysecret
1 replies
2d3h

Yes two core benefits:

1. Built-in Deduplication. If your ID describes the "thing that it is" handling deduplication is much easier. Of course you can try to enforce it by enforcing uniqueness on other columns (but that's not always possible / can get tricky).

2. Save a DB trip on updates/some creations / make indexing more explicit. E.g. say you are user with email address and you want to update some info. Either you run an update using the email directly (in which case you are treating it as a PK essentially even if you don't call it that) or you first retrieve the relevant PK by whatever logic (say indexing by email and name or whatever) at which point you do have an implicit natural key.

In my experience every time I have seen a "corporate" DB with non natural key you get a LOT of duplication and all sorts of services to try to resolve entities running in a batch way (the horror..).

And 2 leads to a lot of bugs because of the implicit nature where you accidentally update the wrong or multiple rows because you didn't know what the implicit uniqueness "key" entailed.

groestl
0 replies
1d21h

1) might degrate into overzealous real life deduplication. I know a guy who meets with his peers (having the same name and birth date) to exchange letters once a year.

2) Usually, the update does not happen in the blue. It's often done after a load operation, for optimistic locking. In that case, the PK is available for free.

hobs
1 replies
2d3h

The only natural key a human being will normally be able to follow is their DNA, and I still think chimera-ism or tissue donation or other genetic anomalies might make even that inconsistent.

Most natural keys that identify dimensions of your data are slowly changing anyway - an address isn't a permanent fixture of a building, an area code splits, nations go to war, daylight savings changes on a whim, laws change, rules change, our understanding of the universe changes.

tlarkworthy
0 replies
2d3h

Identical twins would be the common failure mode

twodave
0 replies
2d4h

A few examples come to mind: geographic regions that already have codes or abbreviations associated with them (e.g. a FIPS code or state abbreviation in the US), simple enums (though I really only bother putting these in a table if they’re used in multiple places). Have to be careful using a string as the clustered index of a large table, though. Smaller tables with shorter string keys that experience very few writes are most ideal for these cases.

paulryanrogers
0 replies
2d4h

Maybe standardized time zone IDs

adra
0 replies
2d3h

One notable problem with user ids is that they tend to leak to users in some way. Because of this, it's really easy for competitive intelligence companies to bot create accounts just to get a feeling of new user growth if you're naively using auto increments. This maybe fine mom and pop sites, or sites where somehow the UID never leaves the middleware, but the reality is that using sequential IDs or hashes of them without salt aren't great for this reason.

Aloha
1 replies
2d4h

I prefer a sequential UID to a UUID - but the point still stands.

white_dragon88
0 replies
5h45m

That just opens you up to enumeration attacks. On what is typically the most sensitive entity in the system.

Inb4 someone says ‘security through obscurity is not real security’… yes I know, but it’s a small price to pay to cover your ass if you missed something, you are only human.

kijin
0 replies
2d3h

Yep, the only way to ensure that your identifiers are "permanent" is to choose them such that people have zero reason to change them. They should bear no relationship to any real-world feature that people care about, such as phone numbers, email addresses, national IDs, names, fingerprints, etc.

Random strings fit the bill perfectly. Sequential integers also work fine, except they are easy to guess, so you might need additional security measures.

carafizi
13 replies
2d4h

There is a client-side solution, even if not the most elegant.

I'm paying a domain, this way i have 100% control of my e-mail alias, even if my current provider (google) goes south, i'm still able to host the mail on my own server to retrieve accounts, and maintain ownership or the alias

rasengan
12 replies
2d4h

What if the domain expires?

enioarda
3 replies
2d3h

Letting a domain expire is usually under your own control

rasengan
2 replies
2d3h

What if you passed away and someone wants to access your old data by getting your old email domain Oo

xoa
0 replies
1d23h

What if you passed away and someone wants to access your old data by getting your old email domain Oo

What exactly do you think happens to anything of yours after you die if you don't prep for it? With many organizations or property your heirs can use a death certificate or court order to get stuff, in other cases they may just be out of luck. You may even wish it to be so, do you actually want them to have access to your old data? All of it or only some? If you actually care then like anything you need to prep for that while you're still alive in any one of the numerous ways available. If you don't then tough shit, that's why there is constant reminders about setting up wills/trusts and keeping relatives/friends/colleagues in the loop as needed and so on and so forth.

layer8
0 replies
2d1h

Like with everything else, one should make sure one’s heirs have all the relevant information.

Biganon
3 replies
2d3h

You can usually automate the renewal or buy for a long period.

But mistakes can never be completely avoided.

What if you accidentally transfer this domain to someone instead of another domain you sold them? What if you accidentally lose access to the registrar's website? What if.....

ryanbrunner
2 replies
2d3h

I actually had this happen to me. My credit card was compromised, the domain (which was registered 10 years ago) was tied to an old e-mail I never use, so I never got payment failure alerts, and didn't notice it was expired until a few days after I stopped receiving e-mails and the domain had been bought by someone else.

It's a huge pain to deal with, since it's 100% unrecoverable since there's no one to really appeal to and you're just forced to update your e-mail everywhere.

ziml77
0 replies
2d3h

I had a similar issue where I didn't get the renewal failure emails. Fortunately no one else grabbed the domain, but there was a window of a week where someone could have! I still use my own domain for my email, but I can't help but feel like maybe it's not the best idea.

arp242
0 replies
2d2h

Many (though not all) TLDs employ a "grace period", where the domain stops working but you have some time (usually 30 days) to renew it before it's really de-registered. This is to prevent exactly these types of scenarios.

Joker_vD
2 replies
2d3h

What if I want to change the domain? My org changed its domains twice in five years I've been there, and porting e.g. imports in all of the internal Golang porjects was not a funny experience.

layer8
1 replies
2d1h

Don’t do that. Choose a domain name with no time-limited semantics attached to it.

direwolf20
0 replies
2d

There's no such thing.

layer8
0 replies
2d1h

Domains are generally set up to auto-renew (and you as the owner have control over that). Expiry is not an issue.

Mattasher
11 replies
2d3h

Agreed that emails aren't a good permanent identifier. Though using phone numbers as any part of identification is even worse. I've had the same email for almost two decades (through my own domain name), but I've gone through nearly a dozen phone numbers in the same time period, and regularly find that a website has opted me in to 2fa with an old number, or I've forgotten they had an old phone number to begin with.

I am currently paying a ~$150 per month "tax" to AT&T to keep my US number while living abroad just so I can get login codes for websites that still have that number, and out of fear that if I dump it I'll lose access to some occasionally vital service that I've forgotten to update, or I can't because you need to have a US number.

mixmastamyk
2 replies
1d22h

A month and not a year?

Switch to a FLOSS OTP solution and/or Fido2 key. If you’re service providers don’t accept them, replace them with one who does.

Spivak
1 replies
22h23m

The number of places that only offer SMS/email 2FA is such that this is infeasible.

mixmastamyk
0 replies
19h48m

I don’t use my phone for any 2FA, with exception of a t-mobile account, which seems understandable.

ThePowerOfFuet
1 replies
2d2h

I am currently paying a ~$150 per month "tax" to AT&T to keep my US number while living abroad just so I can get login codes for websites that still have that number

Port it to a VoIP company like DIDww, spend $2.50/month, and received SMS can end up in your inbox if you wish.

If you ever want the number on a mobile account again, port it back out to your choice of carrier.

Mattasher
0 replies
1d21h

Will that work seamlessly overseas and with my iPhone? I've had issues in the past getting verification calls and SMSes with "virtual" carriers.

BrainBacon
1 replies
2d2h

You don't need to pay that much to keep a US number for use abroad. Convert any 2fa you can to use an app like Google Authenticator, then convert your number to Google voice. You can get text messages for free using your old number that way. If you don't want Google involved at all, there are many other time-based authentication apps and you can use www.tossabledigits.com for texts.

mililani
0 replies
1d15h

The problem with your idea is there are lots of services that blacklist VoIP #'s like Google Voice from being used for 2FA. They also don't have modern 2FA options like TOTP.

BobaFloutist
1 replies
2d

If I choose to change phone carrier, I can take my phone number with me. The same cannot be said for my email address.

Spivak
0 replies
22h25m

Which is why you buy a domain for $10/yr and use the "custom domains" feature of your email host.

Like it sucks that getting a permanent identifier is an annoying technical process but DNS is the closest thing to a universal global identifier you can own in a meaningful sense.

pomian
0 replies
2d1h

Agree with poweroffuet, to try to convert to VoIP. I was lucky on one house move, where my personal office phone number was not acceptable to new area, but I was able to transfer to a VoIP account. At the time internet was slow so after awhile, I quit using the Ethernet phone adapter, and just used that number for receiving calls. Voice and fax calls are all sent to me by emails. It's been over 20 years now. Works great. (Since I don't have a device to connect, my yearly fee is fairly low.) I assume that at some point I could always hook up telephone, and take advantage of the modern internet. Although, I really like this system, and it isn't connected to any particular location.

astura
0 replies
1d23h

I am currently paying a ~$150 per month "tax" to AT&T to keep my US number while living abroad

I don't know why you're paying so much - you can just port the number to a VIOP provider and pay a few bucks a month.

Even for a normal phone service that's exorbitant - I pay less than $100/month for two lines.

User23
8 replies
2d4h

For a long time Amazon’s unique ID for accounts was email + password. So people that forgot their password would end up with two separate accounts using the same login name and which one they got depended on the password.

dastbe
7 replies
2d4h

this was done to support a historically common pattern: people sharing email addresses who still wanted distinct accounts.

ceejayoz
6 replies
2d4h

What about the historically common pattern of forgetting the password?

lostmsu
2 replies
2d4h

I've seen companies ask you to enter any password that you remember.

ceejayoz
1 replies
2d3h

That’s horrifically insecure. Anyone in a haveibeenpwned dataset would be a sitting duck, and that’s… most of us.

lostmsu
0 replies
2d

Oh no, it is only for resetting password. Like in addition to asking for email.

explaininjs
2 replies
2d3h

You don’t really lose anything by losing your Amazon account. It’s not like precious data is stored there. It might make returns more difficult, but in some sense that’s a feature from their perspective, and in any case it’s just another entry in their master support call center flow chart

ceejayoz
1 replies
2d2h

I would lose all my purchased Kindle books.

Until this year, quite a few people would've also lost their AWS access that way.

explaininjs
0 replies
1d21h

Sure, but I believe this predates Kindle. Either way, that’s a matter for the call center flow chart to handle. Not everything needs to be in software.

remram
6 replies
2d2h

Note that using user-selected nicknames is not great either. I am learning this the hard way. Example problems:

* Person used their real name, got married, changed last name

* Person used their real name, transitioned, changed their first name

* Person used characters that you no longer want to accept in nicknames

* Person used a nickname that you now want to reserve (e.g. "admin", "contact", "help", ...)

* Person used a very silly name and grew up or started using your service at their job

uxp8u61q
4 replies
2d1h

* Person used characters that you no longer want to accept in nicknames

Why would you refuse certain characters? My last name contains a dash and one letter with a diacritic. I am beyond tired of playing whack-a-mole trying to guess what rule I violated with my "invalid name."

And fuck companies who have the gall to call my name "invalid" to my face, too. Have some thought before you write an error message. "Contains an invalid character" wouldn't be insulting, for example.

remram
3 replies
1d23h

I am talking about usernames, not names. My first name also contains an accent, maybe direct your rage somewhere else?

If nicknames appear in URLs for example, or are a way to direct messages at someone (e.g. github.com/<nick>, @<nick>), using non-ASCII characters is a bad idea.

uxp8u61q
2 replies
1d18h

Handling non-Ascii characters in url has been a solved problem for years now.

remram
1 replies
1d4h

... by replacing them with ASCII characters, yes.

uxp8u61q
0 replies
1d4h

That is correct, yes. Do you have a point?

nullwarp
0 replies
2d1h

The last point is the case with my Steam account. I'll never be able to shed it given how much money is essentially associated with it. Granted, I think only I will ever see the name but boy do I wish I could change it.

prepend
5 replies
2d3h

I think this is a backend issue in that for the user, their id is email, but within the systems’s data the primary key shouldn’t be email.

Is anyone still doing this? It’s like the most basic db design issue to not use things like email as the identifier and instead have a lookup table that maps things to a truly unique id (uuid or maybe auto increment from a sequence).

The article doesn’t really make this distinction so it almost reads like how users should be aware of this abstraction.

liquidpele
4 replies
2d3h

Yea… this is like a high school level DB class test problem, but you’d be surprised how many adult developers don’t stop to think about DB stuff…

sedivy94
3 replies
2d2h

That’s surprising to hear. I have zero DB experience, not am I a developer, and my default assumption is that some UUID maps to object / entry containing email address (and all other attributes).

kayodelycaon
1 replies
2d

Natural primary keys (email, ssns, etc) was the standard for a long time. It was some kind of platonic ideal. Artificial keys were wasted space of random data that didn’t belong in a database.

When I was in college, academics were just starting to grudgingly accept artificial primary keys (like UUID or auto-incrementing integers) as a concession to reality.

To a modern developer natural primary keys sound insane. Artificial keys are faster in almost every way due to index size. You’re storing compact, fixed-size binary data instead of strings.

prepend
0 replies
2d

I’ve been professionally making database since 1997 and “natural” primary keys was an antipattern even back then (along with the int sequence since it only allowed 2 or 4 billion).

Socials change. Emails change. Seemingly natural, unchanging things change and mess up all the foreign key relationships.

liquidpele
0 replies
1d20h

You see it a lot with Java devs or others who think in OOP objects and then try to simply push those to a table. That said it’s a little more rare now, since most ORMs helpfully auto-creates PKs for you as an int or uuid.

skwashd
4 replies
2d3h

Many of the same issues apply to phone numbers.

When moving countries it can be difficult if not impossible to retain your existing phone number. In some parts of the world moving states means changing your mobile number.

Most telcos “recycle” deactivated numbers after a period of time. This often as short as 6 to 12 months after the owner’s credit expires. I’ve found it increasingly common for a prepaid local SIM number to be tied to a previous owner’s accounts on popular services.

BrandoElFollito
3 replies
2d3h

When moving countries it can be difficult if not impossible to retain your existing phone number.

I cannot imagine how it cos be possible in the first place.

I have a French number: +33 and 9 digits. In Germany it is +49 and 10 digits. In Poland +48 and again 9 digits.

How do you imagine porting a national phone number abroad?

avandekleut
1 replies
2d3h

There are several countries with the same format and country code.

BrandoElFollito
0 replies
1d11h

Even if some countries share the same code and format (I know about the US and Canada), this is hardly a universal solution. The vast majority do not.

skwashd
0 replies
1d18h

I was thinking porting your number to twilio or the like. It’s not supported in all countries.

sigwinch28
4 replies
2d3h

One of my previous energy providers (British Gas, owned by Centrica) didn’t allow an email address to be used for more than one physical address.

When I moved and tried to “set up” my online account I kept getting HTTP 500s when trying to view details about my current address. On the phone they told me “sorry, you can’t use the same email address for multiple [postal] addresses”, even with closed energy accounts from previous addresses.

xtracto
2 replies
2d3h

You could use the +whatever trick. Or if in Gmail, the dot . Trick.

ooterness
1 replies
2d1h

Sadly, there's a lot of companies with misguided email validation. They often insist "+" cannot be used in an email address.

chii
0 replies
1d5h

luckily, for cases like these, you can add a dot anywhere within the email address before the @ symbol for gmail, and it goes to the same email address as without the dot.

layer8
0 replies
2d1h

That’s bad, but is one of the things that aren’t a real problem if you use your own domain for email.

collaborative
4 replies
2d4h

The post mentions the problem but not the solution?

nvm0n2
1 replies
2d4h

It does but the solution is mundane: use an auto generated primary key.

collaborative
0 replies
2d

That in turn presents more problems

rovr138
0 replies
2d4h

Yes. It’s bringing attention to the issue. That way people can discuss.

mytailorisrich
0 replies
2d4h

Even if you have to remember an email address for account recovery, you want your internal identifier for accounts to be meaningless. This will make your life much simpler in the long run, even if this is never exposed to people.

This is the solution.

The rest is an implementation detail ;)

fastball
3 replies
2d3h

We're actually in the process of changing around our email system to allow for multiple associated email addresses with an account right now.

One of the main reasons for this is that we provide a student discount for people, and the easiest way to apply that to an account is by checking if their email is an educational one (.edu, .ac.uk, etc). However most people don't seem to want to actually signup with that email. So by allowing multiple emails we can have the best of both worlds! Wish we had done it this way in the beginning.

ghaff
2 replies
2d3h

Be aware that at least in the US, many people who graduated from university can get an .edu alumni forwarding address. I have a rather cool one. I got in early on and it’s just my first name. I don’t use it much though. In the early days the forwarding made it sometimes unreliable although I assume it’s better now. And the reality is my gmail address has been stable over a couple decades at this point and I don’t see that changing.

I give out my edu address to very few people in any case.

fastball
1 replies
2d3h

Thanks for the heads up. We're aware, but tbh are not that worried about it. If someone that has already graduated is keen to get a student discount, I'm happy to let them. They feel like they're beating the system, and we still get paid. Luckily we're not running a business where the educational discount users are some sort of loss-leading onramp that we expect to make money on once they graduate – they're still profitable even at 50% off.

Currently we actually require manual verification (sending in a student ID to our Intercom) if you didn't sign up with a educational email, and I'm deliberately overlooking the proofs that are clearly invalid. I barely even glance at them. The other day day someone sent me a student ID that was 4 years expired and I just applied the discount and moved on with my day haha. If you send me a PDF called "student_id.pdf" I'll probably give you the student discount. That's part of the reason we're adding this system – we've gotten so lazy that requiring people to go the email verification route will probably be a stricter improvement on the status quo if most users go that route.

ghaff
0 replies
2d2h

In general I think that’s a good attitude. A lot of people who work the system for a student discount probably wouldn’t have signed up at full price anyway.

niuzeta
2 replies
1d23h

What does the famous saying in the first paragraph actually say? The phrase is hyperlinked, and it 404s for me: https://regex.info/blog/2006-09-15/247

It's quite odd to see a dead link from a post made literally today.

Sniffnoy
1 replies
1d22h

Hm -- for some reason it 404s when accessed via HTTPS. The link in the original post is a straight HTTP link, but I guess you have something that's turning it into HTTPS instead. Anyway it works just fine when accessed via straight HTTP. Obviously the site regex.info should fix that though, 404ing on HTTPs is obviously not what it should be doing!

Edit: Oh right, you asked what the famous saying actually says. Since you're apparently not familiar with it, it's a joke of the following form:

Some people, when confronted with a problem, think "I know, I'll use regular expressions." Now they have two problems.

Here, obviously, it's being applied to something other than regular expressions, but this sort of thing is what "now you have two problems" refers to.

The actual linked article is looking into the origins of this joke.

niuzeta
0 replies
1d22h

Oh! That's very curious. Yep, tried to access using http and voila, it worked!

Some people, when confronted with a problem, think "I know, I'll use regular expressions." Now they have two problems.

Ah! I remember this saying. Now I get it.

Thank you!

beckerdo
2 replies
2d3h

The best identity I can think of is a hash-code of your DNA sequence. You cannot lose it like an external device, an email, or an implanted chip.

Yes, there might be collisions in a DNA hash-code (such as identical twins), but there can be protocols for that.

explaininjs
0 replies
2d3h

This keeps coming up but is a terrible idea. Your DNA changes every second.

brewmarche
0 replies
2d3h
andyjohnson0
2 replies
2d1h

Some sites (e.g. Amqzon) allow login with phone number and password. While a phone number isn't a good permanent identier either, I occasionally wonder: does this option exist because there are significant populations of net-using people who commonly have no email address? If there are, are there particular geographic or demographic groups where this is common? E.g. developing nations, millennials.

direwolf20
1 replies
2d

Perhaps "Free speech, but don't be a dick."

Left-wing nutsoes will be repelled by the blanket association of "free speech" with the right wing, and right-wing nutsoes will be repelled because they want to use their speech to be a dick.

latency-guy2
0 replies
1d23h

I don't think the left are as nice as they think they are, with all the cannibalism talk or violent uprisings they claim are coming.

Let's relax with the generalizations no one invited on the last day of the year.

linsomniac
1 replies
1d22h

What if: We had support for public key e-mail addresses, something like <pk-12345@gmail.com>. But also <pk-12345@hotmail.com>. With online services treating them both as equivalent, so I could login or do account recovery with one after signing up with the other. Google bans me or hotmail goes out of business, and I can go to the other service and authenticate with my private key to open the same account there.

Obviously, we'd want some sort of aliasing process so we can have a convenient name, but we probably want mail clients to map those addresses or at least track them with their public key.

Could even end up being a shoehorn for E2E encrypted e-mail, which never really seems to have caught on in any big way.

This would require some big players to support it to get anywhere, but from a brief thinking about it, it seems solid. Other than that nobody has support for it yet...

friendly-user
0 replies
1d4h

I am surprised with this thread on hacker news no one has mentioned the decentralized identity foundation - https://identity.foundation/

There are efforts underway to create new ways of identifying and communicating via web where you own your identity, and are not depending on a provider or central authority.

jordanpg
1 replies
2d3h

The biggest problem with email addresses as 'permanent' identifiers is that people's email addresses change even within a single organization (for example, a university). They change for the same collection of reasons that people's commonly used names and logins change.

True for some cases, surely, but I will be surprised if I don't go to the grave in ~40 years with my current gmail account still intact (assuming email is still a thing).

I assume this is true for some appreciable fraction of email users, although I couldn't hazard a guess of what fraction.

Ekaros
0 replies
2d3h

It will be a fun day if Google for some reason decides to kill gmail... I wonder if that will get government intervention...

aaronharnly
1 replies
2d4h

Some of our customers (school districts) regularly recycle email addresses for students, reassigning an address to a new student after even just one year. That’s fine(ish?), but problematic when they don’t also provide a stable unique identifier that can signal the change. Identity management is a remarkably messy and hard problem — one of those areas where the “corner cases” add up to an order of magnitude more work than the core solution.

nvm0n2
0 replies
2d4h

It's not really fine and no organization should do that. The assumption that one email address = one person is too deeply embedded into the infrastructure. Tech firms mostly get this right. Consumer Google accounts are never reused for example. Yes it means the namespace becomes polluted over time and some people might have numbers at the end of their email address, and that's a pity, but compared to the pain of reallocating addresses it's not very important.

Pixie_Dust
1 replies
2d3h

Email addresses are not good 'permanent' identifiers for accounts

No s~~H Sherlock!

bee_rider
0 replies
2d3h

shiH?

Eavolution
1 replies
2d

I liked Discord's solution of chosen name + short identifier, although I might have changed 4 numbers to 5 base64 digits, because no matter what the username, over a billion people trying to use the same name is unlikely, and 5 base64 digits can still be shared easily.

ddejohn
0 replies
1d16h

I too liked this approach, and was annoyed when they deprecated it.

westurner
0 replies
1d4h

re: ORCID, schema.org/Person and schema.org/identifier, W3C DID: Decentralized Identifiers: https://news.ycombinator.com/item?id=28701355 :

DIDs can replace ORCIDs - which you can also just generate a new one of - for academics seeking to group their ScholarlyArticles by a better identifier than a transient university email address.

DIDs are typically (or always) the public key part of a public/private (asymmetric) keypair.

When would a DID be a better choice than a UUID? [or an email address]
taeric
0 replies
2d3h

For most users, they are probably as good as you can get? Without attestation, no solution "works."

So, either have an identity in your community that is specifically not linked to definitive people, or realize you ultimately need a way to link to whatever the local government uses, at some level.

Right?

supernova87a
0 replies
2d

Please tell that to Github, where I first created my most simple/straightforward named account (very similar to my real name) using my company's email address. Company folded. Now I can never get my simple named Github name back.

sl0wik
0 replies
2d3h

Perhaps identity should be a form of graph including accounts you had over period of time instead of single input.

r3trohack3r
0 replies
2d3h

Identity is fiat. There is no such thing as a permanent identifier for an account. There is no good way to reliably map any identifier to a human.

There is only social attestation.

Any identity system that fails to recognize this will fail to model societal constructs.

http://www.blankenship.io/essays/2023-09-24/

poisonborz
0 replies
2d2h

Identities should be selfhosted just like most of cloud services. All the problems related to this are unsolved only because the profit incentive points to the opposite.

octacat
0 replies
2d1h

Using email as internal ID... Where?

Emails would change. Same with phone numbers.

I've never seen it, it is usually lives in a column in the table and is used to login. But internal ids are UUIDs or integers in the relational DB.

I've seen people use phone number as an ID, but it is bad for GDPR and privacy reasons... I've seen people use incrementing ID and expose it to the user inside URLs (leaking the account registration time and the total number of users).

noman-land
0 replies
2d1h

Email addresses suck. All these "identities" that we use are owned by other people and are rented or "given" to us for use. Every single one! Email address, phone number, all social media handles, even IP address, even government identifiers. None of them are owned by you.

As far as I can tell, the only way to have an actually good identifier is for a user to generate a public/private keypair.

Yes, there are challenges with account recovery but we have tools for that like multisig and and n of m schemes and a bunch of other stuff I don't know about.

Email is digital post cards handed off between two dozen untrusted couriers. Why on earth are we overloading this tool for identity, notifications, conversations, subscriptions, etc?

mcv
0 replies
17h50m

I once was the third person of my firstname, lastname combination at a company, so I got firstname.lastname02@company as email address.

At some point I was in contact with an admin who noticed that the original firstname.lastname@company wasn't working there anymore, so he thought he'd be nice and give me that email address now. That was a terrible idea.

Apparently, the original firstname.lastname was watching a couple of Confluence pages so he'd be notified when they changed. Those emails went nowhere because the address didn't exist anymore. But now it suddenly did again, so I started to receive all those notifications. I visited those pages to see if I could turn the notifications off, but they were controlled by the original guy's Confluence account, which I had no access to of course.

lostlogin
0 replies
1d21h

I once got dragged into a saga where a colleague had their ISP go out of business. So they tried to change their email address that was their username (is that the right term?) for Apple’s online services. It was carnage. You can still hit the rough edges of iCloud fairly easily, but 10+ years ago the edges were pointy and savage.

liveoneggs
0 replies
2d3h

Nothing is permanent. Hardly anything is stable even throughout the entire human lifespan. No bio markers that can be easily scanned are reliably unique across a large enough population.

Email addresses are reliably unique (for a reasonably long time), which is why they are chosen for this purpose.

Phone numbers are now more "sticky" than they used to be and are now similar to email addresses at being useful identifiers.

Both emails and phone numbers are frequently lost, often at the same time.

Backup email addresses are the way to go.

Github does a good job at identity, I think, but they still use passwords (which are bad).

kjuulh
0 replies
2d

The only good identifier is a private one. Email, usernames, etc. They should all be changeable. You don't know what laws come unto function, which events occur, does a person change gender and now need a new social security number, did a person use a business email account for all their private stuff. Usernames change as we fancy, and the whole uniqueness around usernames are a little bit silly as well.

A private id is probably just the best, whether it is a UUID, or another type of sufficiently collision resistant id, kept away from the user for the most part.

Let said person have an email or username, and let other people tag or friend them, but only use said username/email when doing the initial connection. Base said connections off of, the private id

jsight
0 replies
2d3h

Yes, there should always be some sort of unique identifier that is not tied to the users name or email. Display it in the user info, but really it shouldn't be used for anything outside of the technical integration with sso.

Ideally, it would be something like a guid.

jgalt212
0 replies
2d2h

I like usernames as they are much more robust to credential stuffing than email addresses.

elendee
0 replies
1d17h

I think one level of abstraction up, this is about whether to use externally meaningful (emails, etc) or internally meaningful ones (INT id's, etc).

The specter of having a "permanent ID" (contextless), is something which has never really existed nor ever will. Identity only exists in context to some environment, even in blockchain.

diogenescynic
0 replies
2d

I don't like using email as an identifier because I never know when/how Google could just arbitrarily delete my account. I've looked into alternative email providers but none seem to offer a customer support number where you can actually speak to a human. If anyone knows of one, let me know!!

calibas
0 replies
1d23h

There's two separate but related issues that the article and comments here are merging together: identification & authentication

The problem of identification, which is assigning a unique identity to each human being, has pretty much been solved. You have names, emails, id cards, really any unique string or number that's tied to a human being. It's not flawless, but in theory it works.

The real issue is authenticating an identity, how do you know the person is actually who they claim to be? This is one of the biggest issues facing modern technology, and it has not been solved. We generally use a combination of passwords, geolocation, IP addresses, emails, phone numbers, security tokens and certificates to create systems that are "good enough". However, these systems are regularly breached, and tightening their security generally has a negative effect on legitimate users.

block_dagger
0 replies
2d3h

WorldCoin is coming…

beanjuiceII
0 replies
2d3h

email works great for me, got it when gmail was created still have it

abeppu
0 replies
2d1h

I think there are _two_ primary issues with email addresses being used as a core part of account definitions. The one emphasized here is that email addresses change, but the other is that the user is giving every service provider they have an account with a _shareable/leakable_ form of contact info, which cannot effectively be revoked.

I wish we would move to a Permissioned Messaging Provider model, where a standardized API allows a user to issue tokens to specific parties to send messages, which is revocable, and where the user can control the destination and medium of those messages. You want your airline to be able to send you status updates about your flight? Great -- you can choose whether those messages arrive as emails, text messages, whatsapp messages, etc, and you can remove those permissions later if you like. Permissioned Messaging Providers will also change sometimes. I think a keybase-like mechanism could be used for asserting that you're the same person across two services, but knowledge that @user1@providerA is the same as @user2@providerB wouldn't allow anyone to send messages to either, since you still need a token (unlike announcing publicly that you're moving from myname@emailprovider.com to myname2@email2.net).

Pxtl
0 replies
2d2h

Yeah, I'm always surprised that Google doesn't offer a way to change your account address. Like there's no way to say "this is my new Gmail address and all email to the old address will be forwarded to the new one and this new address will take over".

Google accounts include purchase ownerships and the like. Dropping an old one and starting a new one is non-trivial. And most reasonable people make their email accounts their names, and names do change. Marriages, transfolk, etc.

NorwegianDude
0 replies
2d3h

The only decent solution I can think of is passkeys. Cross device synced identites that the user can choose a service for.

Just having a random ID isn't good enough, unless you want the user to remember this ID.

ChrisMarshallNY
0 replies
2d3h

This is true, but I still use them, for the system I'm getting ready to release.

The reason is that we want to keep as little PID as possible, and that should be as innocuous as possible.

So we use emails, including obfuscated Sign In with Apple proxies, or even temporary DEAs. The only requirement is that the email be one that will receive emails.

8organicbits
0 replies
2d3h

Anyone who has tried to de-Google their online presence runs into this. Many sites don't let you change your email address so you either create a new account or live with mail forwarding. OAuth is often worse at this, I have too many third party sites using Log in with Google, forces me to keep a Google session open (in a Firefox container).