You’ve probably built that ‘verify your email’ flow a dozen times. A user signs up, you send a magic link, they click it, and boom—you just added another address to your database, ripe for the picking by the next data breach.
We’ve accepted this as the standard cost of doing business on the web. But it’s a massive security nightmare. Every time you store an email address to verify it, you’re painting a target on your users’ backs for spammers, phishers, and scrapers.
Storing an email address just to verify it is like photocopying someone’s ID to make sure they’re real, then leaving the copy in a public park.
Enter the new Email Verification Protocol, currently running an origin trial in Chrome. It’s a quiet revolution that flips the script on web authentication. Instead of forcing the user to type their email into your vulnerable form, you ask their email provider to vouch for them.
The provider confirms ownership cryptographically—without ever sending the actual address back to your server. It’s a zero-knowledge proof for identity.
The web doesn’t need your users’ email addresses; it only needs to know that they actually own them.
This isn’t just a minor privacy tweak. This could completely obsolete the traditional password reset flow. If an email provider can vouch for a user securely, why are we still sending temporary passwords through the very channels that get compromised? We are literally securing our front doors with tissue paper.
For developers, this shifts the burden of identity. You no longer hold the liability of a massive PII database. You don’t have to agonize over GDPR compliance for email addresses, because you never touch them.
True privacy isn’t asking nicely for data and promising to protect it; it’s never collecting the data in the first place.
The origin trial means you can test this architecture right now. It’s time to stop treating email addresses as necessary collateral damage in the war for user trust. Let’s kill the password reset email before the phishers do it for us.
FAQ
Q: Isn't this just another web standard that will take a decade to adopt?
A: It's in a Chrome origin trial right now, meaning you can implement it today. And since it offloads compliance risk and database liability, the business incentive to adopt is massive.
Q: Does this mean I never store user emails again?
A: For authentication and verification flows, yes. You'll still need them for sending receipts or newsletters, but your core login system can finally be PII-free.
Q: If my email provider controls my identity, doesn't that give Big Tech even more power?
A: It does consolidate trust with providers, but it also destroys the shadow databases of PII currently held by thousands of vulnerable startups. It's a trade-off between centralized trust and decentralized data leaks.