Support Authentication

When I signup for an online service, I like to use an email address that’s unique to that service, i.e. something like [email protected]. Email for my-special-domain.com is then configured to forward all incoming mail to my personal email address.

This allows me to do two things:

  1. Know which services sell my address on to third-parties. (If I start getting spam on this domain, I can figure out where it came from.)
  2. Kill any address for which incoming mail gets out of hand

This works fine, except for one problem, and a problem that shouldn’t exist:

Often when emailing [email protected], I’ll get a reply back indicating that—for “security” purposes—I must email support from the address associated with my account at the service.

What’s the problem with that? The problem is that the “from” address of my support enquiry provides absolutely no authentication or security at all, since email headers are dead-easy to forge.

Therefore, if a service wants to authenticate support conversations, there’s only one way to do it, and that is to provide an internal messaging system accessible only once a user authenticates into the service’s website. (Most financial institutions have this, since getting user authentication right is particularly important to them.)

I decided to post this to my blog, in order to have something I can conveniently point to in the future, when trying to convince these services that they’re misguided and causing unnecessary inconvenience to users who prefer to use throw-away addresses on their accounts.

Agree? Disagree? What do you think?