About the idea: IDENTITY = EMAIL

Continuing the discussion from Why e-mail validation when using OpenIDs?:

I have read a few posts here like the one I quoted where @codinghorror says that “IDENTITY = EMAIL”.

I’m not really sure about that myself though so I started a new topic to talk about that idea.

Here are a few points that make me question that idea:

  1. In Discourse, you have an email address and a user name.
    In fact you can tag someone by their user name.
    You can’t do that with their email.
  2. Email is just an address tied to a mailbox similar to regular mail.
    People don’t usually associate someone’s identity with their street address.
    Just like a street address mailbox is shared by all that live on the street address, email addresses are not a one to one relationship with a mailbox.
  3. Discourse doesn’t show a user’s email address publicly.
    So unless you are saying the person’s identity is private.
1 Like

Sure, is there anything wrong with that?

Also, you could more accurately say that it’s “Access to a particular email account” as the identifier.

1 Like

Looking back on my post, I think I did not state what I intended to as well as I should have.
I was thinking that identity in the context of web application such as Discourse, the user’s identity is something public in part so other users can identify who the user is.
If you are talking how to identify the user internal to the web application then I would think the user is assigned an automatic identifer consisting of a string of numbers as the is how most applications handle that.
Of which if that is the case then I don’t see how IDENTITY can equal EMAIL in Discourse which I recall one of these topics mentioning.

If I recall correctly (there’s 3-4 fairly lengthy discussions on this topic) someone said that not having email as your identity tied to your Discourse Username can cause a ton of problems in practical use because people more easily associate their site identity with their email address.

To me my Username is an alias of my email address. If I can’t authenticate, I have a fallback plan, which is to use my email address (and if I’m not sure which one I used, I’ll try them all as I have only a handful of email accounts) to find out.
Whereas if you don’t have any external identity associated with your account, how can you recover lost or forgotten password except by using insecure approaches like “What’s your mother’s maiden name”.

My own thinking is this:

  • I may prefer to not disclose my email address (not a big deal here, but I’m talking about forums in general)
  • I may be willing to bear the risk of having my ID associated with a single external ID provider and give up on the convenience of being able to receive notifications, etc.

After reading what you wrote and later reading the topic Official Single-Sign-On for Discourse I think I understand the idea of IDENTITY = EMAIL now.
When it comes to things like migrations from a mailing list and Sign-On from another source the email address is the only way to identify which users from the different sources are the same user.
The password reset function also makes since.

The problem for me is that for some email users like email is not a unique to my user account.
I have a different email address for Meta Discourse, How-To Geek Forums, MythTV mailing list, Google, Facebook and most others that all ends going to the same email mailbox.
I do this to keep track of where email is coming from in the case of spam.
One site I receive a Daily Newsletter from used an email provider that got hacked twice.
I now have mail sent to those email aliases discarded.
That site now uses a different email provider that so far has not been hacked.
A white ago before I started doing different email addresses, I gave a regular email address to LIfeHacker.
When Lifehacker’s parent company got hacked the regular email address was leaked and still gets spam today that I think is due to that hack but I don’t know for sure.
Unfortunately, I’ve found many websites in the last few years have switched from username/email logins to email only logins which means I have to remember which email I used for a certain site and use it to login.
Besides being a bit of a pain, a full email is longer than a username is contains a character that can’t be typed with one hand (the at sign).

I suppose in short, I can say while I don’t think using an email address as an identity is a good idea, it appears that in certain situations Discourse has no other way to identify a user.

I have absolutely no idea what you are proposing … if you want to log in with your username you can.

1 Like

That is true and I do login that way.
I was saying that for some things, Discourse does use email as the identity only such as SSO:
“Discourse uses emails to map external users to Discourse users” - Official Single-Sign-On for Discourse and it seems like there is not really another option.
Though thinking about it, if the user names on the SSO Source Site don’t change then Discourse could map users based on the username instead of email.

Problem being that when an account is Deleted, the IP and email address can be added to the “Screened” lists.
Member names of deleted accounts can be re-used.

It might help if you consider context when thinking of the definition of “Identity”

To me
Email Address - identifies the person in the “real world” i.e. verification that the person using that email address is that person
Member Name - Identifies the person to other forum members
Member Id - Used in the code to identify the member’s account

1 Like

Not really the case, if you specify that you want to allow SSO to override emails then external_id is treated more strongly than email (meaning email is overridden on change). For all cases of SSO external_id is strongest and always wins. Additionally SSO has the ability of sending in unverified emails.

1 Like

Ok, then I guess I misunderstood how the SSO support works.

It is very very simple @jd2066 ask yourself this

What happens when I forget my password?

Therefore, email is the source of identity. Yahoo has a new thing where you can use your smartphone as a login, but that’s just a different form of single factor auth – most of the time you use password + smartphone as two factor auth.

Reddit is one example, you don’t need an email address for creating an account there.

Sometimes lowering the barrier to enter beats controlling spam

1 Like

Until reading this the topic Reddit OAuth/API Support the other day, I didn’t know that about reddit didn’t require an email address.
Your reply does remind me though that, that was also a topic where the idea of IDENTITY = EMAIL was presented and part of the reason I started this topic.

1 Like

That sounds like a potential repeat of this.

Using reddit as auth invites pain. Pain.

Like me going into a battle wearing armor made of bologna.

2 Likes

Wikipedia which is based on MediaWiki.

Even edits are possible without account. (Unless using a banned IP range.) (Edits might be withheld from page visitors until an administrator confirms them.)

During account creation, an e-mail address is recommended but optional.

And it’s probably the exception in that regard. When you consider what Wikipedia is - shared content curated by a group - their goal is to reduce friction to collect knowledge. The concept of identity is less relevant because individual contributors aren’t surfaced unless you go digging behind a topic. Misleading content is called out by the ‘hive mind’ and if you lose an account you can sign up again with no real material loss.

Discourse on the other hand rotates around the concept of identity, everything is attributed to users, their identities matter. If users forget their password the lack of email would mean that they can’t easily recover it, nor can the site staff verify that they were the original owner.

3 Likes

A little bit off topic, but it is not — I’m a customer of the biggest ISP in Finland. Theirs every IP-ranges are banned, and that is not the only ISP in same situation.

So from my point of view

  • IPs are totally waste of time, at least when trying to identify a user
  • Wikipedia was a bad example