Single Use Identities - Some Discussion and Practicalities

A few folks reached out after a throwaway comment I made the other day, so I am expanding on it for everyone’s benefit.

Mike Parrinello, CSM Dennis Michaud David Samuel Nallapu Farooq Zafar Sam Martin

The comment was: “Suppose I got a new phone number to stop the spam calls I get all day. I imagine it would still get out somehow after a year or three. It should be convenient to spin up a phone number for each person you meet / business you interact with, etc. You can do so with virtual credit cards and single use emails and it is kind of easy to use. If it were easy, I'd do it.”

Let’s take a step back for a moment, and speak generally about identities.

What’s an identity?

For purposes of this article, any means to contact a person or business, and possibly to engage in commerce with that person or business. So emails, phone numbers, social media usernames, bank accounts, credit card numbers, blockchain/crypto addresses, etc. Usually you want these to be unique (you don’t want two people using the same identity), memorable (ideally something like the person or business’s name - phone numbers, credit card numbers are bad here), and secure (it’s difficult for one person to impersonate another).

What’s the problem with having just one identity?

Generally it comes down to security and privacy. If we are talking about emails and phone numbers, once someone has either, they can spam you all they like. They can also give or sell your information to third parties who might spam you further. They might not even try to do any of this - they could get hacked themselves - but the consequences are the same. More than spam, there is a security risk. If someone can manage to get into your email or phone (by say compromising your password, or SIM jacking you), they can probably make purchases on your behalf or worse. Given that identity theft is on the rise it is probably worth thinking about a better solution.

So, what if instead of giving out your email or phone number every time, you made a context specific email or phone number that didn’t expose the original?

What do you get out of single use identities?

People don’t learn the main identity so it is low cost to give out - your email/phone number remains hidden. It is much better than blocking spammers one by one for that reason.

It’s low cost to shut down - if your single use account is getting spammed, you just disable it. You can’t disable your main email.

The context in which you are using the ID is clear, which reduces confusion and other headaches - for instance, say you sign your business up for a new SaaS service which is a couple hundred bucks a month. And say you cancel, but you keep getting billed. If you set up a single use credit card - you can set a lower limit, and it’s easier to stop payment. Also, suppose you find this credit card gets billed from a different vendor at some point. Then you know that whether it was accidental or purposeful, the SaaS vendor was the leak.

How can you create single use emails?

Apple has hide my email - a paid iCloud+ feature lets you create a single use email every time you submit a form. I’ve actually tried this and it seems to work well.

Several Chrome extensions are available - Temp Mail, Burner Emails - I haven’t tried either of these but I assume they are fine.

How can you create single use phone numbers?

Google Voice is probably the most popular option. There are also apps like Burner which mostly do the same thing.

What about single use credit cards?

Capital One supports a virtual credit card feature, where you have a distinct number for online transactions from in person transactions. I assume other traditional credit vendors do as well, but I haven't tried them.

New school corporate card vendors like Ramp support unlimited virtual cards so you can be very granular with online billing control. Eric Glyman Karim Atiyeh

Generally, how do these identities work under the hood?

The answer is more or less, “forwarding.” Just as you can forward calls and emails manually, you can configure software to do so automatically. So you receive the information from the other party at your true email / phone number / account without revealing the identifying information.

How about in crypto?

Identities in crypto work differently from credit card or bank accounts in the sense that knowing the “account number” doesn’t allow you to bill that account. Payments are “pushed” from the buyer versus “pulled” by the seller, when billing. In the Bitcoin world it is considered best practice to use an identity just once (or twice perhaps) - when payment comes to it, and when it leaves. Managing a number of accounts can become cumbersome - so there are tools like HD wallets which let you do so.

Convenience

I’d imagine the reason that these methods aren’t more widely used comes down to awareness and convenience. Venmo and Zelle are interesting examples that are very convenient - both leverage better distributed identities in to the ability to pay - you can pay someone’s email or phone number or username, instead of an account number they share with you, merely by looking them up in a directory. These services lock you into your root identity more for this reason, and are quite popular. To see wider adoption, single use identities need to happen without the user knowing it, and be as convenient as a Venmo / Zelle flow.

Do I use single use identities?

Personally, not really. For better or for worse I feel that my info is out there, and I’d need to start fresh to really benefit. Usually the consequences are more annoyance than real harm.

In business, we are more disciplined, with judicious use of single purpose emails, cards, password managers and the like.