Closed-loop authentication

Closed-loop authentication, as applied to computer network communication, refers to a mechanism whereby one party verifies the purported identity of another party by requiring them to supply a copy of a token transmitted to the canonical or trusted point of contact for that identity. It is also sometimes used to refer to a system of mutual authentication whereby two parties authenticate one another by signing and passing back and forth a cryptographically signed nonce, each party demonstrating to the other that they control the secret key used to certify their identity.

This article has multiple issues. Please help improve it or discuss these issues on the talk page. (Learn how and when to remove these messages)

This article needs additional citations for verification. (June 2025)

This article may be too technical for most readers to understand. (June 2025)

Closed-loop email authentication is useful for simple situations where one party wants to demonstrate control of an email address to another, as a weak form of identity verification. It is not a strong form of authentication in the face of host- or network-based attacks (where an imposter, Chuck, is able to intercept Bob's email, intercepting the nonce and thus masquerading as Bob.)

A common use of closed-loop email authentication is account recovery in a shared secret relationship (for example, a website account protected by a password). Rather than emailing a copy of a password, modern sites send a time-limited, single-use reset link or token to the pre-registered address so the account holder can set a new password.^[1] Historically, some systems did email existing passwords or auto-generated new ones, but this is now discouraged because services should not store recoverable passwords.^[2]

A problem associated with this variation is the tendency of a naïve or inexperienced user to click on a URL if an email encourages them to do so. Most website authentication systems therefore permit unauthenticated password resets only via links sent to the account holder’s registered address; they do not email existing passwords or allow a user who does not possess a password to log in or specify a new one.^[3] Security guidance also cautions that email should not be treated as an out-of-band authenticator because it does not prove possession of a specific device.^[4]

In some instances in web authentication, closed-loop authentication is employed before any access is granted to an identified user that would not be granted to an anonymous user. This may be because the nature of the relationship between the user and the website is one that holds some long-term value for one or both parties (enough to justify the increased effort and decreased reliability of the registration process.) It is also used in some cases by websites attempting to impede programmatic registration as a prelude to spamming or other abusive activities.

Closed-loop authentication (like other types) is an attempt to establish identity. It is not, however, incompatible with anonymity, if combined with a pseudonymity system in which the authenticated party has adequate confidence.

Closed-loop authentication

E-mail authentication

See also

References

Wikiwand - on