Greatly simplified the process of verifying your email address online. You don’t need to click on the verification link in your inbox or enter a verification code sent to your email. This new protocol allows browsers to handle the verification process directly while you stay logged in to the website. Your email provider will confirm that you are the rightful owner of the mailbox with your existing login credentials and return a security token to the website.
In today’s Internet world, “email verification” is almost everywhere. Register an account, retrieve your password, bind your login method…… We’re used to the process of “receiving a verification code → backfilling,” but it’s not as cumbersome as it is safe:
- Poor user experience: Manually jump to email, copy and paste verification codes
- Limited security: Verification codes can be attacked by phishing emails, hijacking text messages, etc
- Privacy leakage: The website has access to user email addresses and can send you emails as many times as you want
In order to change this “old way of verifying mailboxes”, the WICG (Web Incubator Community Group) has proposed a new draft: the Email Verification Protocol.
It tries to use browser + email service provider + encryption certificate to allow websites to verify “whether this email is yours or not” without reading the email address or touching privacy.
1. What problems does this agreement want to solve?
Traditional email verification methods have significant drawbacks:
1. Poor user experience
Go to the email to receive the verification code → Return to the page to enter.
An operation is divided into three steps, and it may get stuck in the middle.
2. Safety hazards
CAPTCHAs are essentially “secrets that can be intercepted”.
If an attacker can read the email in advance, they can impersonate you to complete the verification.
3. Privacy exposure
The website can see your email address and send you emails at will.
4. Lack of standardization
The current email authentication is entirely dependent on the business layer and is not a web standard.
Neither the experience nor security can be uniformly improved by browsers.
II. Objectives of WICG:
Use web standards to make email verification an automated, secure, and privacy-friendly process
The basic concept of protocol design can be summarized in two sentences:
- Mailbox attribution verification should be done by the system, not by email verification code.
- Websites only need “proof” and don’t need to see the contents of the mailbox.
In other words,
Future websites may no longer need to send you verification emails.
3. How does the agreement work? (Vernacular version)
The whole process can be understood as a “three-way dialogue”:
↔ Website Browser ↔ Email Service Provider (e.g. Gmail, Outlook)
Here’s a typical process:
(1) The user enters the email address on the website
For example: [email protected]
(2) The website makes a “verification request” to the browser
The browser is responsible for communicating with the mailbox service provider.
(3) The browser asks the email service provider: “Does this email belong to the current user?” ”
The email service provider checks the status of the current logged-in user.
If the email address does belong to the currently logged in user, then:
(4) The mailbox service provider generates an encryption certificate (token)
Includes:
- The mailbox does belong to this user
- The signature is guaranteed to be non-forgeable
- It does not contain private information such as email content and email data
(5) The browser returns the token to the website
Websites can verify signatures to confirm email ownership.
The whole process does not require a verification code, and the email password or email content will not be exposed.
The user’s experience becomes similar to “web page automatic verification of mobile phone number”:
No jumps, no verification codes, no information leakage.
4. Highlights of the technical characteristics of the agreement
1. Privacy protection
The website cannot read the email and will not get your real email login status.
The website only gets a “one-time, signed certificate”.
2. Higher security
- No verification code → cannot be phished
- Cryptographically signed → Websites cannot fake authentication
- Browsers participate in → web platform to manage security risks in a unified manner
3. Strong experience
Automatic verification without leaving the current page.
4. Strong standardization ability
If supported by Chrome / Firefox / Safari, this will become one of the basic capabilities of the web, as popular as WebAuthn.
5. What is the core difference between it and CAPTCHA?
| project | Traditional CAPTCHA | Email Verification Protocol |
|---|---|---|
| Validation medium | Email content (interceptable) | Cryptographic signature proof |
| Privacy | Your email address and email address can be seen on the website | The website cannot see the mail |
| User experience | Jump to the mailbox → Copy the verification code → backfill | The browser completes the verification automatically |
| Unity | It is entirely up to each website to implement it on its own | Web standards-level competencies |
| Security | Easy to be fished | Stronger encryption and non-forgeability |
Essentially:
The verification code is “You tell the website that you received the email”.
The new agreement is “the mailbox service provider tells the website that you are the owner of the mailbox”.
6. The current progress and ecology of the project
The repo on GitHub is in the WICG draft stage.
Features are as follows:
- Threat models, security perimeters are being discussed
- It has not yet become a W3C official standard
- Browser manufacturers and email manufacturers are participating in the review
- It may be included in the HTML/Web API standard system in the future
If Gmail and Outlook join in the future, and Chrome and Firefox support it, then its popularity will be very fast.
7. Summary
WICG’s Email Verification Protocol is a draft that attempts to redefine mailbox authentication with web standards:
- Automatic verification without captchas
- The contents of the email address are not exposed
- More secure and private
- Browser + email service provider collaboratively completed
- has the potential to become a new web foundational competence
Github:https://github.com/WICG/email-verification-protocol
Web Incubator Community Group · W3C official website: https://www.w3.org/community/wicg/
Tubing: