Authentication
Authentication is a method by which a human (or another computer) identifies itself with another computer.
User Name and Password Authentication
Most computer based authentication is via a User Name and Password.
The drawbacks of using User Names at all is the fact that most users must have a unique user name on a web site so a computer system can distinguish them between other users.
With the growth of the internet, the User Name (and the issues with being unique) has often been replaced with using an Email Address in lieu of a User Name due to the fact that email addresses are always unique for an individual.
User Name and Password authentication are the most primitive, but most easily implemented form of authentication.
Email Address Authentication
Many web sites use a backup form of authentication which is a person's email address. This is most commonly used by sites to reset Forgotten Passwords.
That is, the assumption is: If someone is authenticated to read email sent to a particular email address, then they must be the owner of that email address.
Note that due to the nature of how internet email works, the receipt of an email at a particular email address can only be considered authentication, and that sending email from an email address is not considered authentication. This is due to the fact that anyone can send an email and make it appear to come from any other email address.
Recent developments in email technologies have made the receipt of an email more dependable. Two technologies, Sender Policy Framework and Domain Keys have made spoofing an email address more difficult, however, their use is not 100% adopted.
Email Address authentication works as follows:
- A web site sends an email to an Email Address with a special, random token that would be very difficult to guess, typically embedded in a link back to the web site.
- When the user receives the email, they click on the link, returning them to the web site, and sending the random token back to the web site.
- If the token matches the email address on file, the web site can safely assume that the person clicking the link is also authorized to access the email address inbox.
For example:
To: Jane Doh <user@example.com> From: ConversionRuler Support <support@example.com> Subject: Email Verification for user@example.com You recently changed your email address at: http://conversion.marketruler.com/user/validate.php?Hash=e1f1841144caf47073d99af7df2a3018 This email serves to validate your email address. To verify your email, please click on the following link: http://conversion.marketruler.com/user/validate.php?Hash=e1f1841144caf47073d99af7df2a3018 Your user name: jane_doh If you have any questions, please contact us: http://support.conversionruler.com/ Monday through Friday, 9:00AM through 5:00PM EST -- ConversionRuler.com A product of MarketRuler P.O. Box 1537 Media, PA 19063 USA
In the above example, the web site stores the random token: e1f1841144caf47073d99af7df2a3018
If the recipient of the email can prove they received this token (which is hard to guess), then it proves that they have access to the email address the token was sent to.