Email addresses are not good 'permanent' identifiers for accounts

December 30, 2023

Every so often someone needs to create a more or less permanent internal identifier in their system every person's account. Some of the time they look at how authentication systems like OIDC return email addresses among other data and decide that since pretty much everyone is giving them an email address, they'll use the email address as the account's permanent internal identification. As the famous saying goes, now you have two problems.

The biggest problem with email addresses as 'permanent' identifiers is that people's email addresses change even within a single organization (for example, a university). They change for the same collection of reasons that people's commonly used names and logins change. An organization that refuses to change or redo the email addresses it assigns to people is being unusually cruel in ways that are probably not legally sustainable in any number of places.

(Some of the time there will be some sort of access or forwarding from the old email address to the new one, but even then the old email address may no longer work for non-email purposes such as OIDC authentication. And beyond that, the person won't want to keep using their old and possibly uncomfortable email address with you, they want to use their new current one.)

The lesser problem is that you have no particular guarantee that an organization won't reuse email addresses, either in general or for particularly desirable ones that get reused or reassigned as an exception because someone powerful wants them. Sometimes you sort of have no choice, because account recovery has to run through the email address you have on file, but at other times (such as in theory with OIDC), you have some form of internal ID that is supposed to be unique and permanent, which you should use.

Even if you have to remember an email address for account recovery, you want your internal identifier for accounts to be meaningless. This will make your life much simpler in the long run, even if this is never exposed to people.

(There are also security issues lurking in the underbrush of reading too much into email addresses, cf (via).)

Written on 30 December 2023.
« Your kernel panics in ZFS on Linux probably aren't actual kernel panics
Switching Linux software RAID disks around in (early) 2023 »

Page tools: View Source, Add Comment.
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Sat Dec 30 23:22:46 2023
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.