When Twitter’s account verification policy began to change late last year, a debate about how to do identity verification for online accounts stirred. As I found out, the way Mastodon does it is surprisingly elegant.
Previously, Twitter had a verification process for high-profile accounts (politicians, journalists, etc.). I honestly don’t know what that verification entailed, but after the Twitter takeover, Musk came up with the idea that anyone who pays $8 is eligible for verification. The ironic thing was that the new process didn’t actually include any identity verification at all. You paid $8, got a blue badge, and could impersonate anyone. This unsurprisingly didn’t work, so after a series of bummers over a short period of time, they discontinued this method of verification. They restarted it just recently and it seems to be as flawed as before.
Not that I have any major need to have my social media accounts verified, but I was wondering if there was any way to verify an account on Mastodon, because there isn’t some central entity that can verify your accounts. I found out that Mastodon goes about it in a pretty elegant way. It outsources the authentication to internet domain administrators.
The Internet domain is, in my opinion, the best “holder” of online identity. Internet domain administrators generally operate in the public interest, have long term continuity, and are globally recognized authorities. Domains are affordable and the rules for owning them are relatively loose. The chances of losing your domain, and therefore your online identity, are relatively small. Email is the most common identifier today and if you run it on your own domain, you are using the domain as an identity across online services. If you don’t have your own domain, I recommend getting one. It’s a much better idea in the long run than relying on an identity derived from accounts with service providers (Google, Facebook, Apple, Microsoft…) because with you’re just building one big vendor lock-in for yourself.
Mastodon simply uses the XHTML Friends Network format, which has been around since 2003. It allows a link to declare a relationship. So on a domain you own, you can place a link to your Mastodon profile in the format:
<a href="https://floss.social/@sesivany" rel="me">Me on Mastodon</a>
In your Mastodon profile, you link back to the page that contains the link, and when Mastodon detects the backlink, it marks the connection as verified. This will link the account to your domain. If you run, say, a popular blog on your domain and you’re generally known as the owner, that may be enough, but proving that you have control over the content of a site on a domain does not mean that you have verified your identity.
But if you own a Czech domain, you can go further. CZ.NIC allows you to link your entry in the domain registry to your account with MojeID which is also operated by CZ.NIC. This identity service is also certified to log into online government services in the EU and in order to do that requires in-person identity verification. This means that you have to go to a CzechPoint with your ID card, where someone will verify that you are really who you claim to be in MojeID (you can also use an eID card or a data box to verify your MojeID account online, but these also required in-person verification when you created them).
I have my MojeID account verified this way. So the chain of trust goes from my Mastodon account to verification with my ID at a CzechPoint. Which online service has such strong authentication? Yet from Mastodon’s side, this is a simple thing to implement and costs me about $8 in domain fees per year, not per month. And it has a much broader application. It’s a pity that XFN is not used by more services.