A couple of months ago, Yahoo announced its intentions to recycle email addresses that have been dormant for the year. There’s been some discussion about this in the security communities because the implications of this could be bad. This would allow the new owner of an email address to hijack identities at web sites that the previous owner used.
The core problem in all of this is that email is being used as an identity verification mechanism through “ownership-based” identity proofing. Many sites make the assumption that if the person can receive email at a particular email address, then they own that address. Based on that assumption, many web sites are ok with allowing a user’s password to be reset over email. This is a faulty assumption for a couple of reasons:
- Some people share a single email address among many family members. I know a few families that have a single email address that each family member shares. The idea of this is noble – that there’s nothing to hide. In practice, however, it does weaken the security of the family member’s identities on the Internet.
- There’s nothing to stop an email address from being transferred to a new owner. I don’t think many us would even consider this scenario, because we just wouldn’t think that a large email provider would consider recycling email addresses. Since Yahoo is moving in this direction, this is going to be a real issue that we’re going to have to deal with. This becomes particularly problematic for my clients that are thinking of using identities asserted from social identity providers (such as Yahoo).
- You’re relying on the security of the email provider to prevent that email address from being stolen. You’re only as secure as the weakest link in the identity chain. If a web site uses a strong password, but allows the password to be reset over email that is hosted by a provider that does not enforce a strong password, then that effectively reduces the security of web site for that user.
Email is great as a notification or message delivery mechanism, but it’s an awful identity service and shouldn’t be used that way.