Email verification protocol

Posted by sgoto 11/1/2025

214 points | 146 commentspage 2

philipwhiuk 11/9/2025|

> User privacy is enhanced as the issuer does not learn which web application is making the request as the request is mediated by the browser.

This seems extremely marginal. The point of verifying an email address is to subsequently use it to send email.

callahad 11/9/2025|

I largely agree, but I still think there's a compelling argument that blinding the issuer implicitly precludes API gatekeeping or censorship. Sites wouldn't need to pre-register with any issuer, nor could the issuer refuse to provide tokens on the basis of where they'll be used.

Etheryte 11/9/2025||

I haven't managed to formulate the exact issue yet, but if I squint, I swear there's a path to track and/or deanonymize someone visiting your site. If you have any kind of previous information about the user, such as Meta, or Google or etc, you could easily try and see if the user holds any number of emails you think they might hold. From there on out we're practically back to third party cookie tracking.

callahad 11/9/2025|

The key mitigation is that the protocol - as envisioned - is mediated by the user agent; you as a website cannot silently fire off probes that tell you anything.

kbaker 11/9/2025||

This section

https://github.com/WICG/email-verification-protocol/blob/mai...

could easily be done by malicious JS, an ad script, or the website itself, and then as the RP gets the output of 6.4) email and email_verified claims.

I'm guessing that this proposal requires new custom browser (user-agent) code just to handle this protocol?

Like a secure <input Email> element that makes sure there is some user input required to select a saved one, and that the value only goes to the actual server the user wants, that cannot be replaced by malicious JS.

callahad 11/9/2025||

> This section could easily be done by [...]

Less easily than you'd think.

You'd have to make an authenticated cross-origin request to the issuer, which would be equivalent to mounting a Cross-Site Request Forgery (CSRF) attack against the target email providers.

Even if you could send an authenticated request, the Same Origin Policy means your site won't be able to read the result unless the issuer explicitly returns appropriate CORS headers including `Access-Control-Allow-Origin: <* or your domain>` and `Access-Control-Allow-Credentials: true` in its response.

Browsers can exempt themselves from these constraints when making requests for their own purposes, but that's not an option available to web content.

> I'm guessing that this proposal requires new custom browser (user-agent) code just to handle this protocol?

Correct; which is going to be the main challenge for this to gain traction. We called it the "three-way cold start" in Persona: sites, issuers, and browsers are all stuck waiting for the other two to reach critical mass before it makes sense for them to adopt the protocol.

Google could probably sidestep that problem by abusing their market dominance in both the browser and issuer space, but I don't see the incentive nor do I see it being feasible for anyone else.

portaouflop 11/9/2025||

Is it reinventing OIDC or what is the benefit of this?

No way in hell I’m gonna learn another of these nightmarish protocols unless this is somehow much much better.

rekabis 11/10/2025||

> Verifying control of an email address is a frequent activity on the web today and is used both to prove the user has provided a valid email address

LOL WUT??

This is also ideal in “war dialling” eMail servers to get accurate lists of what eMail accounts exist on said server. This has been the case since marketing first hit the Internet.

Do you really want all of your legitimate eMail addresses to end up on spam lists? Because this is how you get complete and unabridged lists of your domain’s valid eMail addresses onto spam lists.

It’s why my own eMail server is set up to quietly confirm and accept any and all eMail sent to the domain - regardless of username employed. Even invalid eMail accounts get confirmed and incoming eMails to them get accepted.

Anything not sent to a valid account then drops into a catch-all account for further processing. Occasionally I’ll get eMail where the username was misspelled - it happens - and I just forward it to the appropriate family member.

The rest get reported as spam. And I enjoy making every last report. Enjoy ending up on a blacklist.

yomismoaqui 11/9/2025||

"There are privacy implications as the email transmission informs the mail service the applications the user is using and when they used them."

Not really, as I can enter any email on a service login page that uses magic links for auth. The owner of that email will receive the login link but that doesn't mean they tried to login on that system.

Y_Y 11/9/2025|

Not really indeed. You're right that false positive are possible with such a system, but false negatives are not. That means that you're leaking information about when a user didn't use a service, as well as partial information about when the did (which you could combine with other data to tell you something meaningful).

nine_k 11/9/2025||

This is sort of missing the point of email verification. It's to test that the email from this particular site is deliverable and visible to the user, not just that it's a legitimate address known to work by some third party.

A user may make a typo in the email, and that email might still be a valid email know to work (but for another, unrelated person). The user's email agent (such as GMail or Outlook) can mark the email unimportant and make it hard to notice, or even mark as spam. All these issues are much better to find out and iron out before the user sees themself unable to communicate, or successfully bound to an email they cannot access.

The whole point of email verification is to make certain that a channel of alternative communication exists for a case when the user would be unable to identify themself normally, for whatever reason. A working email alone is not always sufficient for successful credentials reset, but almost always it's much easier to when the user has it.

dcm360 11/9/2025|

> A user may make a typo in the email, and that email might still be a valid email know to work (but for another, unrelated person).

That won't verify. The issuer should check if the request has valid session cookies for the e-mail-address that should be verified. This also implies that it just won't work for any service that uses sessions with a short timeout.

mvid 11/9/2025||

Might want to take a look at https://github.com/zkemail

meonkeys 11/9/2025||

Skimming that I'm thinking yes, sure, why not, but this repo is missing useful context. Who are you, authors? Why should I bother learning this protocol? Is anyone using or going to use this? If it's new, has it been shopped around at conferences? Any related research?

hastamelo 11/9/2025|

author:

https://www.w3.org/community/wicg/

https://wicg.io/

hirsin 11/9/2025||

And specifically Sam goto (Google, fedcm) and Dick Hardt (hello, oauth2 spec writer).

This was originally thought up a couple (5-6) years ago along side fedcm and privacy sandbox, but before SD-jwt was full baked, so it wasn't as clean. The use of SD-jwt is much better for privacy.

8organicbits 11/10/2025||

Is there a nonce relay vulnerability here? You try to verify your email with site A. Site A starts an email verification with site B. Site B sends a nonce to A, A relays the nonce to the user. The user generates the proof, sends it to A. Then A sends it to B.

callahad 11/10/2025|

Step 5.2; the browser binds the KB-JWT to the site it's on, so Site A would receive a JWT that is only valid for Site A.

littlestymaar 11/9/2025|

> User privacy is enhanced as the issuer does not learn which web application is making the request as the request is mediated by the browser.

How can you avoid revealing the application through the `Origin` header?

gruez 11/9/2025|

The request is sent by the browser, not the webapp itself (ie. using xhr or fetch) so it doesn't have headers like "Origin" added.

littlestymaar 11/9/2025||

Ha! Thank you, I misunderstood who was behind this proposal but since it's W3C it's something that would directly be implemented by the browser itself.

More comments...