Allow for one-time email assertion #853

Closed
stickfigure opened this Issue Jan 7, 2012 · 2 comments

4 participants

@stickfigure

BrowserID seems an excellent way to assert an email address even outside the context of authentication. For example, even standalone username/password systems need to be able to establish a verified email address. Right now this is almost always done with the standard confirmation email, but BrowserID could replace that process with much better UX. Also, many systems using BrowserID may have multiple login options (Facebook, G+, etc) and it would be convenient to use BrowserID for all change-email-address workflows.

Right now, if a system without BrowserID auth wants to use BrowserID for change-email-address workflow, users will be required to create a password when using the browserid.org secondary auth. This extra password requirement is confusing if the user didn't log in with BrowserID in the first place. It seems like this could be fixed by allowing a "one-time" email assertion; the relying website can save the trusted email address but the user will not necessarily be able to authenticate with it.

More in this thread:

https://groups.google.com/forum/#!topic/mozilla.dev.identity/L-C7WjGkb-Y

@skinny97214 skinny97214 was assigned Jan 12, 2012
@fmarier
Mozilla member

Another use case for this sort of feature is to add a secondary (or a third, fourth, etc.) email address to an existing account.

@shane-tomlinson
Mozilla member

Closing this request until we decide whether we want to do it as a feature. If you feel strongly, please re-open discussion on the list so that we can make a decision in the open.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment