Chrome is currently testing a new feature called 'Email Verification Protocol (EVP)' that allows for instant email address ownership verification via the browser.



Chrome is currently testing the ' Email Verification Protocol ,' which allows the browser to communicate directly with the email provider to verify that the user owns the email address during web service registration.

Test the Email Verification Protocol with an origin trial | Blog | Chrome for Developers

https://developer.chrome.com/blog/email-verification-protocol-origin-trial

The typical registration process involves entering an email address, receiving a confirmation email, and clicking a link in that email to verify ownership of the email address. However, this system requires users to leave the site, increasing the risk that they might abandon the registration process and fail to complete it.

With the Email Verification Protocol (EVP), when a user selects an email address from the browser's autofill suggestions and submits a form, the browser queries the email provider. Once it's confirmed that the user is logged into the account corresponding to that email address, a verification token is passed to the website, proving ownership of the email address without sending a confirmation email.

To use EVP, users must be logged into their email provider account using the same Chrome profile. Furthermore, email addresses must be selected from suggestions displayed by Chrome's autofill or autocomplete features, rather than being manually entered. Support for manually entered email addresses will be added in a future release.

The first time you verify a specific email address with EVP, you will be prompted to allow your email provider to verify the email address. This permission is only requested once per email address, and once verification is complete, you will receive a small notification from your email provider confirming that they have verified the email address.

Specifically, the browser refers to the DNS records set for the email address's domain to identify the account management service responsible for verification. That service verifies the user's login status and issues an 'Email Verification Token (EVT),' which the browser then combines with the website's origin and form-specific values to create signed data.

When a form is submitted, the website verifies the email address, form-specific values, and signatures from the publisher and browser. If all verifications are successful, the website can determine that the email address is valid and that the user currently interacting with the website owns that email address.



According to Chrome, this process does not transmit information about the website using the validation to the email provider. The website does not receive any information about the validation process until the form is submitted, and the email provider only receives a request to verify whether a user exists corresponding to the target email address.

EVP is not intended to completely replace traditional verification methods, but rather to be a feature that can be added to existing registration flows. If a browser does not support EVP or token verification fails, the website will revert to the traditional method of sending a confirmation email or one-time password.

Furthermore, EVP confirms that the user is logged into their email provider account and owns that email address. EVP does not guarantee that emails sent from the website will actually reach the user's inbox, so you will still need to send welcome emails and user guide emails.

EVP is being offered as a trial for Chrome's origin trials, and website operators can test it by registering for the origin trial and setting a dedicated token on their pages.

Trial for Email Verification Protocol

https://developer.chrome.com/origintrials/#/view_trial/10696049115004929

Since Gmail is also participating in the origin trial as an email provider, you can try the verification flow with an '@gmail.com' email address without any additional configuration.



However, the origin trial is an experiment to gather feedback before official implementation, and there are limitations on the amount of traffic that can be applied to the origin trial. Google explains that the API for email providers is still under development, and there is a possibility of backward-incompatible specification changes or changes in how it looks in Chrome in the future.

in Web Service,   Security, Posted by log1i_yk