They could consider not using email at all

Any open channel that can be read by a human that could be lucratively scammed will be used the same way.

I don't understand what you mean. This is used for creating an account on a web app. You don't actually need an email or anything else for that.

Why is the solution not OAuth/OIDC?

Or maybe creating some sort of reduced OAuth "Anonymous-Site-Verifying-Your-Email-Exists" flow?

Not everyone uses an email provider that is also also an OIDC provider.

But not every email provider would support this new (from scratch) protocol either?

Just don't see the need to reinvent OAuth but with a reduced scope for just email validation. Just add a happy path for this into OAuth itself?

One other problem is there isn't a way to definitely know that a given OIDC provider is authoritive for a given email. Although, this spec could probably be simplified by just having a dns record that specifies the domain to use for oidc for emails on that domain.

Another is that there is a lot of variance in OIDC and OAuth implementations, so getting login to work with any arbitrary identity provider is quite difficult.

I wouldn't mix OAuth and OIDC up when thinking about this. OAuth is a chaotic ecosystem, but OIDC is fairly well standardized.

OIDC actually does have a discovery mechanism standardized to convert an email address into an authoritative issuer. Then, it has a dynamic registration mechanism standardized so that an application could register to new issuers automatically. Those standards could absolutely be improved, but they already exist.

The problem is that no one that mattered implemented them.

If you want to get anywhere with something like this, you need buy-in from the big email providers(Google, Microsoft, Yahoo, and Apple) and the big enterprise single sign on providers(Ping, OneIdentity, and Okta). All of those companies already do OIDC fairly well. If they wanted this feature to exist, it already would.

Instead, it seems like big tech is all-in on passkeys instead of fixing single sign on.

> a dns record that specifies the domain to use for oidc for emails on that domain.

Oooh I like this idea!

Not a DNS record, no one uses dnssec so DNS is insecure. A .well-known path, with a TLS cert is better. Or a special subdomain, like MTA-STS uses.

It's more of an invisible feature than a protocol.

The signup protocol and user flow is the same if the feature is supported or not. You just skip a step if the convenience feature is supported.

With SSO the user is inconvenienced with an additional option at sign up and login, and there's the risk of duplicate accounts. Also stronger vendor lock in.

Additionally, some corporate or personal policies might prefer to NEVER use SSO, even if it is sometimes accepted. I hate being presented with option to login with email or login with Google, and I don't know which I signed up with.

God forbid I accidentally make an account with SSO and another with email but the same email. I'd rather just always use email, it's supposed to be a convenience, the advantages are lost when it goes south once

> God forbid I accidentally make an account with SSO and another with email but the same email.

If they do it correctly, that shouldn't be possible.

You can have both a gmail and a google workspace account with the same email, but I'm sure someone can do better than Google.

Also I'm pretty sure that since google is itself an SSO provider, this add another layer of clusterfuck that I don't even want to think about, regardless of whether there's a clean implementation or not, I don't even want that on my mental capacity.