Email verification protocol

Posted by sgoto 11/1/2025

151 points | 109 commentspage 3

l___l 17 hours ago|

Why must apps require email? Why not only username and password?

tytho 16 hours ago||

Many applications need a way to contact a user (security breach, password reset). If one only has a username and forgets the password, there’s no way to reverify the user.

dspillett 15 hours ago|||

> Many applications need a way to contact a user … password reset

At this point the password is pointless, you might as well just use the email address. Or perhaps a distinct username and email address, but then there would probably be a “forgot username” workflow making that as pointless as the separate password.

Hizonner 16 hours ago||||

> If one only has a username and forgets the password, there’s no way to reverify the user.

Tough beans?

crazygringo 16 hours ago||

A good user experience does its best to avoid tough beans. That's kind of UX 101.

dspillett 15 hours ago||

In the case of security procedures, I'd argue that there is some room for tough beans. Reducing security to cater for carelessness seems like a really bad compromise to me, one that I see far too often.

megous 14 hours ago||||

There are many ways to re-verify the user if one forgets a password. Some may even be more secure than sending a e-mail. Simplest is a set of single-use reset codes that could be generated at signup or later on, like the ones to remove 2FA.

l___l 16 hours ago||||

[dead]

charles_f 14 hours ago|||

You don't need to validate email for that.

thedelanyo 13 hours ago||

I think if you're not verifying emails, you'll also receive lots of bot signups.

zetanor 17 hours ago|||

Because it's less expensive to send a few e-mails than to provide customer support to everyone who forgets their password.

hombre_fatal 16 hours ago|||

Most people want a way to recover their account if they lose those creds, especially when you ask them once they’ve lost their creds.

It’s also a rudimentary PoW system against bots. And people who don’t want to share their email can use a temp email service, so it’s no skin off their back.

immibis 14 hours ago||

So make it optional. I've seen sites like that.

Bots have no trouble signing up with @mybotfarm.example addresses.

Levitz 14 hours ago||

Ultimately this is akin to password requirements. They are a bother but the average user is just much too careless to be trusted with their own security.

charles_f 14 hours ago|||

* recover password

* prevent signing up for someone else (validate it is you who owns the email)

* poor man's mfa, although please allow me to use totp instead (probably the three most legitimate reasons from a user perspective, email validation prevent you from making a typo)

* send ads and notifications (legitimate from the provider's perspective, they want campaigns to succeed, email validation makes them sure emails land)

* reduce throw-away or bot accounts

efilife 16 hours ago|||

Weird that no one said this yet: To verify users' legitimacy. If you make effort to block 10 minute email services it works kinda well and slows down bots

ocdtrekkie 16 hours ago|||

Without traceability, any app that can be used for abuse will be. (An HN reader used an anonymous mail service to send me some hate speech and tell me to kill myself within the last day. The service they used to do it obviously does not care, but also cannot do anything about it, because they don't know who used their service to do it.)

jgalt212 17 hours ago|||

I agree. username and password is much more robust to credential stuffing attacks.

gruez 16 hours ago||

> username and password is much more robust to credential stuffing attacks.

/s?

jgalt212 16 hours ago|||

tell me how it's not.

apgwoz 15 hours ago|||

The onus is on you here… but, I think I know where you’re going with this. In terms of number of email addresses people have and use, vs number of usernames people have and use, you might be right that some people have 1 or 2 email addresses and many usernames.

Email masking has become easier to use, and many people use `+addressing` to uniquely tie their email to the service for spam prevention / tracking, which would make stuffing harder.

In these cases, email would be much more unique and a better protection against stuffing. HOWEVER, it’s not obvious how Email verification protocol would work for these types of things.

crazygringo 16 hours ago|||

You're the one who made the claim. So please explain how it is.

cxr 15 hours ago||

Credential stuffing happens when a user signs up on one Website B with account information matching the information they used when setting up their account on Website A, and the operator of either Website A or Website B can use those credentials to access the user's account with the other operator.

If websites authenticate with username and password combo chosen by the user, then credential stuffing is neutralized if the user avoids re-using the same combo, effected by the user selecting at least one of a different password or the selection of a different username.

If instead of a username, an email address is required to register, that generally results in one less degree of freedom; rather than being able to create a username with Website B that differs from the username they created on Website A, absent the use of a wildcard/catch-all mailbox or forwarding service (which are not straightforward to set up, and almost nobody has one), the user is required to disclose an existing email address.

(It also increases the surface area for attacks, since the malicious website, now knowing the user's email address, can attempt credential stuffing with the user's email provider itself.)

You can balk at whether or not these are negligible differences, but it's non-zero. Therefore, all other things held equal, then strictly speaking it is more robust.

gruez 15 hours ago||

>If instead of a username, an email address to register, that generally results in one less degree of freedom [...]

It "generally" doesn't, because the average user isn't randomly generating usernames per-site, just like they're not randomly generating passwords per-site. If they're randomly generating usernames per site, they'll need some sort of system to keep track of it, which is 90% of the way to using a password manager (and therefore randomized passwords, immune to credential stuffing). For it to practically make a difference, you'd need someone who cares about security enough to randomize usernames, but for whatever reason doesn't care enough about security to randomize passwords.

cxr 14 hours ago||

To start with, randomly generated usernames weren't mentioned, and they are not a prerequisite.

> It "generally" doesn't, because the average user isn't randomly generating usernames per-site

What other people do, whether average users or not, doesn't matter. When average user Alice is registering accounts on Websites A and B, the fact that average user Bob doesn't use different usernames for his accounts doesn't change the fact that if Alice would have otherwise registered account agirl on one site and pie_maker26 on the other, but instead has been forced to enter her email address, then that has a non-zero effect on risk.

For the claim as stated to be untrue, the difference in risk would need to be zero.* But it isn't zero. The claim as stated is true.

> For it to practically make a difference, you'd need someone who cares about […]

That's not true. Users who are exposed to lower risk by accident are still exposed to lower risk. It's not a prerequisite for the user to care at all, nor does it require them to understand any of this or to be trying to adhere to any particular scheme to achieve a certain outcome. The only thing that matters is what they're doing—and whether what they're doing increases or decreases risk. Intent doesn't matter.

* or it would need to be somehow less risky when email addresses are required in place of where a username otherwise would be, but that's not the case, either

gruez 14 hours ago||

>To start with, randomly generated usernames weren't mentioned, and they are not a prerequisite.

I've seen sites randomly generate passwords for users as well. Does that mean users reusing their passwords at all is a prerequisite? Moreover if we're really accepting "whether average users or not, doesn't matter", I can also say that using emails doesn't decrease security because you can use randomized emails, as others have mentioned. At some point you have to constrain yourself to realistic threat models, otherwise the conversation gets mired in lawyering over increasingly implausible scenarios. For instance, by asking for emails at registration, you can more easily perform 2fa, whereas you can't do that with only a username/password combination[1].

[1] before you jump to say "but can ask for an email with username/password too!", keep in mind the original claim that username/password is better was in response to a comment asking "Why must apps require email?".

cxr 13 hours ago||

> I've seen sites randomly generate passwords for users as well. Does that mean users reusing their passwords at all is a prerequisite?

What?

> I can also say that using emails doesn't decrease security because you can[*] use randomized emails

That _doesn't_ _matter_. Viz:

> The only thing that matters is what they're doing—and whether what they're doing increases or decreases risk.

ashed96 15 hours ago|||

In theory, maybe to some extent yes - unique usernames could beat reused emails.

But let's be real - nobody actually does that.

cynicalsecurity 16 hours ago||

Because emails of real people can be sold to advertisers.

rekabis 7 hours ago||

> Verifying control of an email address is a frequent activity on the web today and is used both to prove the user has provided a valid email address

LOL WUT??

This is also ideal in “war dialling” eMail servers to get accurate lists of what eMail accounts exist on said server. This has been the case since marketing first hit the Internet.

Do you really want all of your legitimate eMail addresses to end up on spam lists? Because this is how you get complete and unabridged lists of your domain’s valid eMail addresses onto spam lists.

It’s why my own eMail server is set up to quietly confirm and accept any and all eMail sent to the domain - regardless of username employed. Even invalid eMail accounts get confirmed and incoming eMails to them get accepted.

Anything not sent to a valid account then drops into a catch-all account for further processing. Occasionally I’ll get eMail where the username was misspelled - it happens - and I just forward it to the appropriate family member.

The rest get reported as spam. And I enjoy making every last report. Enjoy ending up on a blacklist.

littlestymaar 17 hours ago||

> User privacy is enhanced as the issuer does not learn which web application is making the request as the request is mediated by the browser.

How can you avoid revealing the application through the `Origin` header?

gruez 16 hours ago|

The request is sent by the browser, not the webapp itself (ie. using xhr or fetch) so it doesn't have headers like "Origin" added.

littlestymaar 15 hours ago||

Ha! Thank you, I misunderstood who was behind this proposal but since it's W3C it's something that would directly be implemented by the browser itself.

binary132 15 hours ago||

why does it have to be email?

sgoto 11/1/2025||

Verify email addresses automatically

harvey9 15 hours ago|

On the rare occasions where I would care about this as a user, I make a throwaway account on an anonymous service. If I don't want my email service to know I have an account with you then I don't trust you to handle my main address either.