Marc A. Pelletier wrote: >On 15-02-19 09:27 AM, MZMcBride wrote: >>In a second or third iteration, we'd ideally have an intermediate >>post-login screen that allows the user to select an account to use. > >That would be a catastrophe, from a privacy standpoint; even if we >restrict this to verified email addresses, there is no possible >guarantee that the person who controled email address x@y in the past is >the person who controls it today.
My understanding is that this intermediate screen would only trigger if an account is using both the same verified e-mail address _and_ the same password. I don't believe there's any privilege escalation or privacy concern to allow users to login to multiple accounts that share an e-mail address (considered private/secret) and that share a password, which are the two inputs we'd be accepting during user login. It's checking multiple passwords that starts to introduce a lot more concerns about timing attacks, as I understand it. This is a hard problem, as we typically want password verification to be relatively slow. That said, these types of concerns that you're raising are fantastic to consider and discuss (thank you!). I think we need a lot of scrutiny in this area to ensure that we implement a sane, secure solution. >It would also have horrid security implication if you allow further >creation of accounts sharing an email (which would be necessary to make >that feature useful): create an account with the email of someone you >want to find the Wikimedia account of, log in, be presented with the >accounts. Same as above, I think. :-) MZMcBride _______________________________________________ Wikitech-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/wikitech-l
