Marc A. Pelletier wrote:
On 15-02-19 09:27 AM, MZMcBride wrote:
In a second or third iteration, we'd ideally
have an intermediate
post-login screen that allows the user to select an account to use.
That would be a catastrophe, from a privacy standpoint; even if we
restrict this to verified email addresses, there is no possible
guarantee that the person who controled email address x@y in the past is
the person who controls it today.
My understanding is that this intermediate screen would only trigger if an
account is using both the same verified e-mail address _and_ the same
password. I don't believe there's any privilege escalation or privacy
concern to allow users to login to multiple accounts that share an e-mail
address (considered private/secret) and that share a password, which are
the two inputs we'd be accepting during user login.
It's checking multiple passwords that starts to introduce a lot more
concerns about timing attacks, as I understand it. This is a hard problem,
as we typically want password verification to be relatively slow.
That said, these types of concerns that you're raising are fantastic to
consider and discuss (thank you!). I think we need a lot of scrutiny in
this area to ensure that we implement a sane, secure solution.
It would also have horrid security implication if you
allow further
creation of accounts sharing an email (which would be necessary to make
that feature useful): create an account with the email of someone you
want to find the Wikimedia account of, log in, be presented with the
accounts.
Same as above, I think. :-)
MZMcBride