In SWITCH edu-ID the e-mail addresses play a crucial role not only for communication with an edu-ID user but also for authentication. Every e-mail address associated to an edu-ID account also serves as login name. An e-mail address can also be used to reset the password of an edu-ID account. And unless Two-Step login is activated, this would be sufficient to gain control of an account.
Unfortunately, many e-mail addresses don’t belong permanently to the same person. When a student finishes her studies, she will loose her university e-mail address after some time. When a staff member changes jobs, he won’t keep his company e-mail address either.
In case of popular names, some organisations re-assign e-mail addresses to persons with the same name, hopefully only after a long grace-period. If such a “recycled” e-mail address is still associated to a user account of the original holder of this address in a system like SWITCH edu-ID, this might cause severe security problems.
Therefore, SWITCH edu-ID has some automated mechanisms to detect, remove, replace and inform about e-mail addresses that no longer work. How do these processes work?
Bounce e-Mail Processing
SWITCH edu-ID users occasionally receive automatically generated e-mail messages about their account. Such messages include for example notifications about account changes or a reminder that an account has not been used in a year. If the e-mail address that these messages are sent to does not exist anymore, a bounce message might be returned by the receiving mail server.
Since June 2020 SWITCH edu-ID analyzes all bounce e-mail messages it receives. The process first checks the delivery status notification code and message. If this status indicates that the e-mail address permanently does not work anymore and that the address is not just temporarily unavailable (e.g. because mailbox is full or due to a DNS problem), edu-ID will send a test message to this address after 5 days. If this test message also bounces with a permanent error, the e-mail address is considered stale by edu-ID.
From July till September on average about 62 e-mail addresses per day were identified as stale.
For such e-mail addresses the following process is applied:
- If the e-mail address belongs to an active linked organisation identity, the corresponding home organisation administrators are informed. Organisation e-mail addresses of active organisation identities should work and therefore, the organisation is asked to review if there is a problem with their e-mail system or if this organisation identity/e-mail address should no longer be active.
- If the e-mail address is an additional e-mail address, it is removed and the user is informed about this removal via his still working contact address.
- If the e-mail address is the user’s contact e-mail address, this address is replaced with an additional or organisational e-mail address and the user is informed.
If the contact e-email address is the only e-mail address, it is marked as invalid, i.e. the reserved domain name “.inactive” is appended. This then prevents password resets and thus it also prevents the case that somebody with a recycled e-mail address can gain control of a SWITCH edu-ID account. It however also prevents a legitimate user from gaining access to the user account again unless the user can proof that this account belonged to her or him. In such cases it helps if the account for example contained a postal address or a mobile number In case a mobile number is available, the user is also informed about critical account changes via SMS.
Regular e-Mail Verification
While the bounce e-Mail process described above identifies many inactive e-mail addresses that are used as contact e-mail addresses of a SWITCH edu-ID account, it generally does not cover additional e-mail addresses or organisational e-mail addresses because generally no e-mails are sent to these addresses by edu-ID. Therefore, detecting that one of these addresses is no longer belonging to the user is not possible unless it is regularly verified.
In SWITCH edu-ID a regular e-mail verification has been enabled in August 2020. This process will check a user’s e-mail addresses once per year. Organisational addresses are generally not checked if they are part of an active organisation identity. We assume that these addresses are under direct control of the respective organisation and that they therefore should work.
The verification is performed by an external e-mail verification service called Bouncer. This GDPR-compliant service receives a list of e-mail addresses to check. It then queries the e-mail servers of the respective address to find out if this address exists. Based on the response and some heuristics, it returns the findings to SWITCH edu-ID. If the status is “deliverable”, SWITCH edu-ID assumes that the address still works. In all other cases where the status is “undeliverable”, “risky” or “unknown”, the SWITCH edu-ID e-mail verification process sends a test e-mail message to these addresses. If the address is not working, a bounce message is returned and the e-mail address is then processed using the above mentioned bounce e-mail process.
If e-mails to these addresses can be delivered, it will inform the user that the e-mail address was successfully checked and that no further action is required. In the past few months on average 580 e-mail addresses were checked on a daily basis. For about 83% of them the status “deliverable” was returned. 8.6% received the status “risky”, which often means that the e-mail server has a catch-all address configured, that will accept e-mail messages regardless if an address exists or not. For 6.7% of the checked addresses the status “undeliverable” and for 1.5% the status “unknown” was returned.
Combining the bounce mail process and the e-mail verification process, results in the above diagram. It briefly illustrates how SWITCH edu-ID tries to keep e-mail addresses up-to-date and tries to identify addresses that no longer belong to a particular user. Even though there still might be cases where SWITCH edu-ID does not detect that a particular e-mail address does no longer belong to a user, the above-mentioned processes help to reduce these cases considerably.
In SWITCH edu-ID the e-mail addresses are login credentials and therefore it is important to keep them up-to-date. As the above article illustrates, SWITCH edu-ID includes automated processed that help getting close to this goal. Furthermore, users are also encouraged to review their e-mail addresses and ensure that their contact e-mail address is a long-term address. After all, a SWITCH edu-ID account should facilitate the life-long learning. E-mail addresses ideally also exist for a lifetime.