And then we decided that custom domains are the most professional. Which does make sense, there can only be one 'email@example.com'. But, this is coupled with the idea that domains can expire, and that expiry does not appear to kill the identity that's potentially associated with the domain.
We should not be using email addresses as our primary source of identity verification in the first place. And we definitely _should_ have some way to globally declare that an identity has been compromised. Especially given our society's track record of keeping database safe from breach.
I more or less assume it is inevitable that one of my major accounts will be compromised, and that this will be able to cascade into most of my major accounts being compromised. I do what I can to protect myself, but gmail as a single source of failure makes me nervous. Using any email provider besides gmail makes me even more nervous, because they don't have the full power and knowledge of Google protecting their databases.
If you use a third party service for your email ID, the third party can ban you or like you mention - disappear and basically take your identity away.
If you rely on national ID cards, you have another set of problems.
If you rely on phone numbers, these can be sim-jacked.
If you rely on bio-authentication methods, you risk your privacy especially when the master database gets compromised.
Relying on any single source seems to be a recipe for disaster. Perhaps the solution is to have multiple ways to authenticate yourself, with different levels of credibility and to let as many of them survive as possible. Phone numbers and email IDs seem to have similar levels of credibility, but I haven't seen domain name service providers take to phone number authentication as much as I would have liked, but things are looking up. Alternatives could be backup codes, which some registrar's use if you have 2fa enabled.
This would also allow you to have multiple identities in cases where that is useful.
I've heard of various groups doing this under blockchain (of course) which is a way to solve the problem of publishing the details, but in many cases you don't really need that. It should be enough to make a key and get involved, like Bitcoin.
The issue of course is that if you lose the key(s) you have a major problem, whether they're just lost or stolen. This is probably solved with MFA but it's not a solution if that opens up other attacks.
The email market has worldwide competition, phone providers compete at a local level only. You can choose from thousands of different email providers, while phone provider choices for any given person are ~5.
The effective 'god' of domain names is IANA, which, while imperfect is more trustworthy than the 'gods' of phone numbers: local governments and telcos.
It's my understanding that these methods (TouchID, FaceID) don't actually store your thumb prints or images of your face rather they store hashes of the output. Similar to how passwords should never be stored in plain text.
The upside is its only stored on the device itself and not in a master database and also isn't used for any remote authentication so can't be exploited by hackers over the internet.
Without emails as the keys to the kingdom, what would you use?
Without a global identifier for a human person (like social security in the US), how would we declare that an identity is compromised?
While I believe your ideals are well-intentioned, I think they're impractical in our current society.
I would propose that an email is the key to the kingdom, that people running custom domains and use them for email must deposit $500 in registration to do so (to ensure the domain is registered for their lifetime), and that they should be protected by a password plus 2FA with your phone being the other factor. And I propose that each person should be uniquely identifiable by an email address stored in a global publicly-accessible database.
Think Facebook login except instead of tab unrestricted entity that steals every piece of dignity it gets its hands on, its a bank or legal custodian with strict responsibilities, penalties, and insurance in case of identity theft.
PKI. Service providers shouldn't give you access to an account just because you can prove you control an email address (during a narrow and predictable time window, no less). The simplest thing would be to encrypt the relevant part of the payload (the one containing the password reset link), so resets are only possible if you can receive the email and have the means of reading it in its "true" form.
Failing that (suppose you've not just lost your password but also the ability to decrypt the contents of the message), there should be an alternative, but the threshold for proving your identity should increase. It would ameliorate a lot if it meant that people had to show up in person somewhere. E.g., I show up at either the business's local branch (if there is one) or the USPS (or...) with my photo ID. From there, an attestation is generated that you really are who you say you are, and only with that attestation will your account be unlocked.
From Ursula K. LeGuin's indispensable "Dispossessed":
“You're really much too polite for ...”
“For an anarchist,” she said, in her thin and affectedly drawling voice (it was the same intonation Pae used, and Oiie when he was at the University). “I'm disappointed. I thought you'd be dangerous and uncouth.”
She glanced up at him sidelong. She wore a scarlet shawl tied over her head; her eyes looked black and bright against the vivid color and the whiteness of snow all around.
“But here you are tamely walking me to the station, Dr. Shevek.”
“Shevek,” he said mildly. “No `doctor.'”
“Is that your whole name — first and last?”
He nodded, smiling. He felt well and vigorous, pleased by the bright air, the warmth of the well-made coat he wore, the prettiness of the woman beside him. No worries or heavy thoughts had hold on him today.
“Is it true that you get your names from a computer?”
“How dreary, to be named by a machine!”
“It's so mechanical, so impersonal.”
“But what is more personal than a name no other living person bears?”
“No one else? You're the only Shevek?”
“While I live. There were others, before me.”
“Relatives, you mean?”
“We don't count relatives much; we are all relatives, you see. I don't know who they were, except for one, in the early years of the Settlement. She designed a kind of bearing they use in heavy machines, they still call it a `shevek.'” He smiled again, more broadly. “There is a good immortality!”
Vea shook her head. “Good Lord!” she said. “How do you tell men from women?”
“Well, we have discovered methods...”
The five- and six-letter names issued by the central registry computer, being unique to each living individual, took the place of the numbers which a computer-using society must otherwise attach to its members. An Anarresti needed no identification but his name. The name therefore, was felt to be an important part of the self, though one no more chose it than one's nose or height.
Non-physical things such as a reputation can be stolen or at least borrowed, too.
Examples on HN:
I use my own domain on my own server with my own running mail server. Why should someone take that over?
Of course someone with state level hacking experience could do that, but I am not a target for those. Script kiddies have no luck, because you can't even login from the Internet into my server you will need to VPN into first.
It's not perfect and there are usability issues around this, but they're mostly solvable. Needing both keys around to enrol into each service can be an issue, but this could be addressed by letting a user enrol other public keys as a delegate, and present a signed delegation token allowing that token to enrol a public key on behalf of an off-site token.
Revocation is the next issue - how do you revoke either of your tokens if stolen or compromised? PKI had this issue and ended up down the CRL Vs OCSP approaches. Clearly you need to be able to revoke without the token being present (maybe storing a signed revocation for A on your B token), and some kind of gossip-based network to spread the signed revocation around. That might avoid centralising it.
As long as your "chip" is designed as an ISO smartcard, you can also rely on pin protection (I'll ignore the implanted under skin aspect, other than to observe that does adjust the threat model as deniability around knowing the PIN is lost at that point. A duress PIN that validly unlocks but generates different keys would be a potential solution here for where mistaken identity can be used as an escape from an adversary).
U2F is pretty much a "key" (some even visually looking like keys) that are used pretty much like a physical key - put the key into the keyhole (USB port), and press the flashing light. Done.
That level of UX is what we all need to build towards!
To protect against damage—which is a very real possibility, of course—I'd put identical chips in each hand, and if one fails or gets damaged, then you'd have to rotate keys by replacing both chips.
And you could have a third identical chip/key (or a different private key on another device in a safe somewhere) as a further backup, as my sibling comment recommends.
Clearly the verified URL origin of something in the real world is complex, but there are ways to potentially make this work. Devices might have certificates for a URI, and this URI could be verifiable and convey attributes like the GPS coordinates to within 25m, that you can verify before authenticating. Users could presumably also whitelist certain origins (garagedoor.home.mydomain.net)
All of this apart from the subdermal part actually could work out well - a small number of people already do this via U2F, or even traditional smartcards.
My current solution is that the device has three functions: encrypt/sign with private key, decrypt with private key, and send public key. They would be protected by a PIN—probably a six-digit alphanumeric pin. You might want to rate limit PIN attempts to one per second, as well.
With this scheme, I can't see how it would compromise privacy or security. No one can just scan your hand and know your identity, since you need the PIN to get your public key. And since all encryption/decryption happens on the chip, the chance that your private key gets stolen is pretty much as low as possible.
If you see any flaws with this scheme—I certainly wouldn't be surprised if there are, I just can't see any right now—please critique away!
What do the other 206,868 people do?
If a similar system were implemented in the United States, that would leave 6,514,383 out. What do you do with six million people who can't be part of the standard ID scheme?
I love BankID but I have been using it since the start and know the pitfalls to watch out for. Most people does not know the problems though.
What agency manages BankID in Sweden? I would imagine in a better world, the US Postal Service could be doing some of this work in the states at a federal level, but I wouldn't get my hopes up.
This is the only technique I think might work till someone social engineers people at Twitter.
This way we can verify/prove our identity without handing over those markers to multiple 3rd parties.
The world can have high def scans of my fingerprint for all it matters, they can’t produce a living human finger with the same print. And if you can’t reasonably ensure that you’re taking a reading from a living human then you shouldn’t be using biometrics.
Biometrics is not transmitting a picture of a fingerprint, it’s presenting your hand.
Having your email secured by a password locked by a device you trust doing biometric auth is perfectly fine. Having a website somehow store your print isn’t.
What would this "hand data" look like? A 3D model of a hand MRI or X-Ray?
Based on my understanding, in any form of biometric authentication, some amount of static data (i.e. the biometric database is not receiving a secure, updating feed of the state of your hand/body) is stored on the server and compared with the data transmitted for authentication. Biometrics change (fingerprints can be rubbed off from gardening, DNA mutates, etc.), so this static biometric data is something that is mostly environment-invariant.
If someone can compromise your "full hand scanner" or compromise the biometric database (which will inevitably happen), then you are compromised for life, since you cannot change your hand.
Suppose this happens. The world now knows all of your fingerprints. And at some point in the future you walk up to the desk of a datacenter where there's a security guard who phyiscally takes your hand, inspects it, and places it on the scanner. Can someone other than you pass this check?
Biometrics are a hard, mostly unsolved the problem, because the hard part is replacing the human security guard who verifies that you're scanning a real person's hand. For not super security sensitive applications TouchID, FaceID, and friends are good enough because most people aren't in Face Off or Mission Impossible.
The point here is that this is completely wrong. Biometrics can be stolen and they're unreplaceable. There's no device in the world that can be sure it's reading a fingerprint from a living human. Drop a quick query into Google, you'll find dozens of methods that fool Apple's TouchID and that's probably one of the more robust implementations as it makes it rather difficult to do something like replace the sensor and feed in fake data directly to the system. There's only so much you can do to tell human flesh from inanimate objects when all you have is a tiny fingerprint sensor.
> Biometrics is not transmitting a picture of a fingerprint, it’s presenting your hand.
Biometrics is read with sensors, sensors produce data, data can be copied. If you were to publish scans you would have effectively allowed anyone the information needed to fake your fingerprint and authenticate as you. That's the definition of compromise.
Also, you're discounting the possibility of multiple layers of biometric + non-biometric authentication. Password/Private-Key + retina scan + left big toe-print scan >= Password/Private-Key.
I also think there are ways to authenticate your identity outside of static data-points if there's a trusted 3rd party real-time system involved.
If you think of biometric auth as “the scan of your eye/hand/whatever is just a password” then I can’t help you and of course that system can be compromised. “Upload a PDF of your fingerprint" is the silliest auth system of all time.
Unless you have a human to sit there validate that they're reading from an actual human, isn't this essentially what biometric auth is? Am I missing something here? No reasonably sized machine can certainly do the needed verification with the limited information they have.
Not to mention - if it were to be heavily relied upon for security for a very high value target, say one of those bitcoin vaults with hundreds of millions of dollars locked away, you can certainly envision a world where you could get grafted silicone fingertips installed by a plastic surgeon that would likely fool humans based on the exact sort of data leak we discussed.
> You can certainly envision a world where you could get grafted silicone fingertips.
If you built a system that's so secure that this is the lengths you have to go to beat it then you would be an overnight billionaire if you brought it to market. Like at this point you've achieved human-level verification. Assuming it was small enough to go in phones it would be revolutionary!
What happens when you lose the local machine?
Edit: you can do all this on namecheap pretty easily.
There is nothing more frustrating when you're recovering your password and the site says we have sent you an email with no hint where and even worse sometimes they say "if that email was in our records then you should get the link" and you're wondering did that work and #1 worst is after making me solve 10 traffic lights and zebra crossings.
Because at that moment I feel it's just easier to start over and create a new account.
Monitor having issues. Google solution. Land on a forum, but to see the full post / solution it requires email registration. I register with a junk yahoo type email address. Complete the long form, solve all the traffic lights, etc. Then get the solution, make a few posts and probably forget about it.
Monitor having problem again after 2 years same forum but it says my very unique username is taken. Now, I vaguely remember creating an account but don't remember what email I used. I try to reset my password but dang, each time it says "If that email was in our db you'll get it". If I get a hint I used yahoo maybe I can resume and hopefully use my old account and some post count than starting a 1 day old account with 0 post.
It's, as always, about a balance between faster user experience and more extensive security features.
I doubt it's a large portion. It costs money for each hijacked account, and custom domains I would assume are only used on a tiny fraction of accounts. The vast majority of stolen accounts I would attribute to credential stuffing.
Beyond that, it is not a company problem IMO. One of the most common uses for custom domains is custom email addresses. If a website prevented me from using it, as you propose, I would be flabbergasted.
Good practice for users in general is to use email services like gmail as thier login/account email and add thier custom domain emails in thier bio.
No thank you, I don't want a mandatory backdoor for every government that might want to claim jurisdiction over one of those large worldwide providers.
No. I have a domain precisely because of avoiding a monopoly, duoplily, oligopoly on my email. Any service that required this would have me walk. The footsteps of a single zhte415 may not be loud, but I feel, especially in tech, I would not be alone.
Great, if we do this, we've done to e-mail addresses (and domains) what we've done to phone numbers. Some phone numbers, because of the carrier serving them, are "less than" others out of some (mistaken) idea that it's easier to get a bulk-load of phone numbers from some kinds of carriers and not others.
And then, what do you do when a new provider wants to join the scene? It already takes a year of process and documentation for a new certificate authority to get into most browsers and even then the adoption will be years in the making because most devices don't get root certificate updates. What's the process like for e-mail in your hypothetical? Does Hey.com not even bother because getting buy-off from even the top 50 account-based web sites takes forever?
> Good practice for users in general is to use email services like gmail as thier login/account email and add thier custom domain emails in thier bio.
Absolutely not. The entire point for using my own domain is so my identity is not irrevocably tied to Google. When Google can, and does, nuke my account from orbit on a whim due to some perceived slight, I have no recourse. I can't even sue because of the mandatory arbitration clause they slapped in their several-thousand-word terms of service.
But when I click Forgot Password, it asks me for my username and also the email address before I can continue.
How do you get the email address hint like the article shows?
Why? I figure that's generally either for spamming or viewbotting (Re: likes, stars, etc) purposes especially on sites that don't require email verification to do things.
Ironically enough, I've been vulnerable to the described attack afterwards as I had my own domain, didn't use it much anymore, and gave it away (to a band with the same nickname). Back then, a domain was pricey, and I was poor, so...
You don’t need another discovery method after you take their Twitter account and email :)
Only for targets not on twitter.
My point is that Twitter is probably enough.
But if you really just want to compare domain names that are expiring to email addresses, you can just use one of those business bots that spammers, recruiters and sales people use, and just check emails in their database to domains expiring.
10 years limit on domain registrations seems ridiculous, we need lifetime-span registration capabilities, at least.