OpenID for Email Verification?

Posted June 26, 2008 * Comments(2)

I have a need to verify user email addresses, which I’ve been doing the traditional way – sending an email with a secret to the user’s address and having them reply or click on a URL.

Unfortunately this is not optimal – emails tend to not make it to the user, go into bulk/spam buckets, and are less real-time than I’d like. I’m looking for a better way.

I’m hoping OpenID will help me. I mainly care about Yahoo, Google, and Hotmail, all of which support OpenID to some extent.

I believe OpenID Simple Registration is what I’m looking for. I have a lot of homework to do to see which providers support SREG, how to use them, etc. I’ll post my progress here, and if you have knowledge / experience with this, please leave a comment below.

2 Comments so far

  1. Simon Willison on June 26th, 2008

    Unfortunately sreg is almost entirely useless for your intended purpose – there’s nothing in the sreg spec that guarantees the e-mail address provided has been confirmed in any way. I wrote up a note about that here: http://simonwillison.net/2007/Jun/30/sreg/

    Even Yahoo!’s OpenID provider won’t help you out here because users of that service have the option to send over a randomly generated string as their OpenID instead of their regular Yahoo! account name.

    I’m afraid sending an e-mail with a link in is still by far the most reliable way of solving this problem.

  2. Parand on June 26th, 2008

    Thanks Simon. I’m experimenting with Google AppEngine and that easily gives me the user’s email address after they consent. I’m guessing I could do something similar with Yahoo’s addressbook API, although I haven’t looked at it yet.

    The question then becomes: is it worthwhile to wrap these in an OpenID context, or hack my own way around it. I’m leaning heavily hacking my own way, as I’d like to make the user experience as seamless as possible…

Leave a Reply