Closed-loop authentication

Closed-loop authentication, as applied to computer network communication, refers to a mechanism whereby one party verifies the purported identity of another party by requiring them to supply a copy of a token transmitted to the canonical or trusted point of contact for that identity. It is also sometimes used to refer to a system of mutual authentication whereby two parties authenticate one another by signing and passing back and forth a cryptographically signed nonce, each party demonstrating to the other that they control the secret key used to certify their identity.

E-mail authentication

Closed-loop email authentication is useful for simple situations where one party wants to demonstrate control of an email address to another, as a weak form of identity verification. It is not a strong form of authentication in the face of host- or network-based attacks (where an imposter, Chuck, is able to intercept Bob's email, intercepting the nonce and thus masquerading as Bob.)

A common use of closed-loop email authentication is account recovery in a shared secret relationship (for example, a website account protected by a password). Rather than emailing a copy of a password, modern sites send a time-limited, single-use reset link or token to the pre-registered address so the account holder can set a new password.^[1] Historically, some systems did email existing passwords or auto-generated new ones, but this is now discouraged because services should not store recoverable passwords.^[2]

A problem associated with this variation is the tendency of a naïve or inexperienced user to click on a URL if an email encourages them to do so. Most website authentication systems therefore permit unauthenticated password resets only via links sent to the account holder’s registered address; they do not email existing passwords or allow a user who does not possess a password to log in or specify a new one.^[3] Security guidance also cautions that email should not be treated as an out-of-band authenticator because it does not prove possession of a specific device.^[4]

In some instances in web authentication, closed-loop authentication is employed before any access is granted to an identified user that would not be granted to an anonymous user. This may be because the nature of the relationship between the user and the website is one that holds some long-term value for one or both parties (enough to justify the increased effort and decreased reliability of the registration process.) It is also used in some cases by websites attempting to impede programmatic registration as a prelude to spamming or other abusive activities.

Closed-loop authentication (like other types) is an attempt to establish identity. It is not, however, incompatible with anonymity, if combined with a pseudonymity system in which the authenticated party has adequate confidence.

References

^ "Forgot Password Cheat Sheet". OWASP Cheat Sheets. OWASP Foundation. Retrieved 14 August 2025.
^ "Password Storage Cheat Sheet". OWASP Cheat Sheets. OWASP Foundation. Retrieved 14 August 2025.
^ "Forgot Password Cheat Sheet". OWASP Cheat Sheets. OWASP Foundation. Retrieved 14 August 2025.
^ "NIST SP 800-63B: Digital Identity Guidelines – Authentication and Lifecycle Management". NIST. 2023. Retrieved 14 August 2025.

Corella, Francisco; Lewison, Karen (2013-07-14). "Privacy Postures of Authentication Technologies" (PDF). pomcor.com. Pomian & Corella, LLC. Retrieved 24 June 2025.

[1] "Forgot Password Cheat Sheet". OWASP Cheat Sheets. OWASP Foundation. Retrieved 14 August 2025.

[2] "Password Storage Cheat Sheet". OWASP Cheat Sheets. OWASP Foundation. Retrieved 14 August 2025.

[3] "Forgot Password Cheat Sheet". OWASP Cheat Sheets. OWASP Foundation. Retrieved 14 August 2025.

[4] "NIST SP 800-63B: Digital Identity Guidelines – Authentication and Lifecycle Management". NIST. 2023. Retrieved 14 August 2025.

[1]

[2]

[3]

[4]

Closed-loop authentication

E-mail authentication

See also

References

Portal di Ensiklopedia Dunia