I agree that email address != identity, but nothing would stop a site that uses BrowserID from allowing a user to change the email address that they use on that site.

It's very similar to the countless existing services that rely on email for identity... you'd just have to verify ownership of the new email address (usually through a confirmation email).

My thoughts exactly. I actually respect the thinking process which is: rather than invent something from scratch (some new user ID), let's use something that everyone is already familiar with: a traditional e-mail address.

Sure, every website can implement this flow, and users could could go to every website they've ever logged into and update their email address... assuming it all works properly even though they might not have access to the old email address anymore.

At the very best this technology offers considerably less value to websites and more hassle to users than Facebook or Google. And it's about 5 years too late.

"Sure, every website can implement this flow, and users could could go to every website they've ever logged into and update their email address... assuming it all works properly even though they might not have access to the old email address anymore."

And how is this different than the current situation? Nearly all web sites require an email address. With BrowserID, you at some point confirmed ownership of that email address, so you could continue to use it to login, then change when you're ready.

"At the very best this technology offers considerably less value to websites and more hassle to users than Facebook or Google. And it's about 5 years too late."

Tell that to users who a) don't have Facebook accounts or b) don't want to use Google or Facebook with their identity. Far more people have email addresses than Facebook or Google accounts.

Fast forward another ten years. Do you really think typical websites will still ask people to create usernames and passwords? I predict that the current trend of "offload that crap to Facebook/Google/BrowserID" will continue. Even BrowserID.org makes that assumption.

The question is whether a BrowserID identity is as useful as one of the established identity providers. You start out with a chicken-and-egg problem; websites won't consume BrowserID if users aren't using it, and users won't use it if websites aren't asking for it. What will overcome this Catch-22? Techwise, the dependence on email seems less compelling than Facebook or Google auth.

Maybe BrowserID can rely on mass distrust of Facebook and Google. I'm not sure that's sufficient though - especially with Google.

facebook, i agree, makes sense for an assertion of your public, real-name identity. there will always be sites and situations where i do not want my real name associated with what i do there.

google auth is just one provider of the same identity as browserID-- an email login. so, imo, browserID is a strict improvement, in that it is more seamless than google auth in regular usage (leveraging the browser as the user agent), and works with more providers.

I understand the sentiment but simply because a solution doesn't cover all use cases (users must be able to change email addresses) doesn't mean it can't be usable. Also, we constantly use services were you cannot change your email address because that's how the system identifies you, so this dependency of email addresses isn't new at all.

(One work-around would be to use an disposable e-mail address service and redirect your emails as needed.)

aka add a level of indirection, just like the solution to every other problem in computer science. :)

> Facebook got this right from the beginning.

What a weird double-standard. A feature of email (that you can have several, and you can change which one you use) is a failure, and a failure of Facebook (that it's one site, forever) is a feature?

We're all familiar with ways to migrate from one email address to another. If/when you leave Facebook/it disappears, how will you migrate your identity then?

Email is a tool whose value lies primarily in my ability to communicate with other users. Many people (including me) have several email addresses that we use for different purposes. That an email address can be used as an identity is something of an afterthought, and doesn't really fit into the "have multiple email accounts for different communication purposes" paradigm.

My Facebook account is an identity first and foremost. People do not typically have multiple Facebook accounts (a TOS violation). If that account goes away, that identity goes away.

You might make an argument that websites should allow you to aggregate multiple identities (Facebook, Google+, MS, Yahoo, etc) into a single account, or that there should be some sort of an identity provider that creates an aggregate identity across all those services. To an extent some of these websites are already doing something like this peer-to-peer - Facebook is an OpenID consumer, for example. Maybe sometime in the future this will be a big issue. But right now it isn't, and email-as-identity is already an annoying problem.

"My Facebook account is an identity first and foremost."

Now imagine 5 years ago you said "My Friendster account is an identity first and foremost."

I'm not saying that identity management won't be an ongoing problem, especially if large repositories of identity rise and fall with fashion.

On the other hand, email is already known to be an unstable key for identity. And the "market" for identity providers is a lot more mature than it was 5 years ago. Besides, what if Friendster had established itself as a public identity provider 5 years ago? Maybe we would be using Friendster instead of Facebook today. Who knows.

> On the other hand, email is already known to be an unstable key for identity.

Would be happier if there was only one company that provided email service and you were only allowed to have one address? That's essentially the situation with Facebook.

You're free to apply whatever constraints you like to your use of email. An email address is as unstable an identity as you make it.

Downvotes? Wow, that's unnecessarily harsh.

Two close friends of mine were the #2 and #4 employees of Friendster. I seriously considered becoming #3. I had a pretty good outsider's view of the early years.

Yeah, they screwed up the scaling pretty badly. But even worse they screwed up the business - after you set up your profile and looked around, there wasn't much more to do (unless you were single and looking). People were already using Friendster as an identity (emailing links as a "you mean this person, right?"). Maybe if they'd opened an API and enabled third-party apps, they could have maintained this position. It's a big "what if" but it can't be dismissed outright.

In the literal sense that you are not your e-mail, yes email != identity.

In a practical "on the internet sense," your email really is your identity (maybe SSN or name would be a better description; you can change it, but to do so is catastrophically disruptive). After all if you can't be contacted you really can't be identified, and the universal way of contacting someone online is through email.

Now, you should definitely try and provide some redundancy (store multiple email addresses, long living sessions, whatever) and make your anonymous/unauthenticated/drive-by user experience stellar. But when push comes to shove if you can't send them a "forgot your username/password/open-id/samoflange" email, you've lost that user.

(anecdote: I've had the same primary email for >7 years)

Filed as a bug: https://github.com/mozilla/browserid/issues/58

Alas, email address has become the online analog to the venerable SSN.

OTOH, facebook id != identity, neither is twitter username. There will always be some id that you won't be able to change. But you are right that email is a bad choice, and i was surprised they give away the email address to developers. They should provide the browserid.org ID only.

it's a compromise move-- the reason most sites today rely on email, fb, or twitter is that it's a way to 1) contact the user, and 2) tell/help the user to tell his/her friends about something.

the team is in talks now about cooperation with another mozilla labs project centered around 1-off email generation for quick and easy anonymity with sites