Marc A. Pelletier wrote:
On 15-02-19 09:27 AM, MZMcBride wrote:
In a second or third iteration, we'd ideally have an intermediate post-login screen that allows the user to select an account to use.
That would be a catastrophe, from a privacy standpoint; even if we restrict this to verified email addresses, there is no possible guarantee that the person who controled email address x@y in the past is the person who controls it today.
My understanding is that this intermediate screen would only trigger if an account is using both the same verified e-mail address _and_ the same password. I don't believe there's any privilege escalation or privacy concern to allow users to login to multiple accounts that share an e-mail address (considered private/secret) and that share a password, which are the two inputs we'd be accepting during user login.
It's checking multiple passwords that starts to introduce a lot more concerns about timing attacks, as I understand it. This is a hard problem, as we typically want password verification to be relatively slow.
That said, these types of concerns that you're raising are fantastic to consider and discuss (thank you!). I think we need a lot of scrutiny in this area to ensure that we implement a sane, secure solution.
It would also have horrid security implication if you allow further creation of accounts sharing an email (which would be necessary to make that feature useful): create an account with the email of someone you want to find the Wikimedia account of, log in, be presented with the accounts.
Same as above, I think. :-)
MZMcBride