I described an alternate idea on how to avoid timing attacks without limiting it to one account per address. https://www.mediawiki.org/wiki/Thread:Talk:Requests_for_comment/Login_via_e… ~Daniel Friesen (Dantman, Nadir-Seen-Fire) [http://danielfriesen.name/] On 2015-02-19 5:27 AM, Tyler Romeo wrote:

Tony Thomas wrote: Hi. Yes, I believe there's consensus to implement this feature. It's incredibly common practice on the Web to allow login via e-mail address. MediaWiki fortunately already supports storing and authenticating e-mail addresses, so the work to allow login via e-mail address hopefully shouldn't be too difficult. The tricky parts are that e-mail addresses are considered private information and there's no requirement that e-mail addresses be unique in the user table. As you mention, there are many instances of multiple users using the same e-mail address. As part of a first iteration, we'd likely simply disallow login via e-mail address for the ambiguous cases. In a second or third iteration, we'd ideally have an intermediate post-login screen that allows the user to select an account to use. This account selector may also one day tie in with the idea of having an account switcher (i.e., the ability to easily switch between multiple accounts without needing to log out and re-authenticate). However, these are tangential features that quickly start to get a lot more complicated when you consider single user login and its cross-domain magic, login sessions, cookies, etc. MZMcBride

2015-02-19 13:54 GMT+01:00 Tony Thomas <01tonythomas(a)gmail.com>om>: I think everybody has the chance to choose as simple username as they can remember. It's not nuclear physics or cerebral surgery. Where am I wrong?

Bináris wrote: It's not a matter of choosing a single, simple user name, per se, it's choosing a user name on Wikimedia wikis, on Twitter, on Facebook, on Gmail, on GitHub, and on a million other sites on the Web. Yes, users should choose memorable user names and secure passwords on each site and never forget them, but that isn't the world we live in. We dramatically reduce our barrier to entry by allowing login via e-mail address as users can typically remember their own e-mail address. Do you disagree? MediaWiki not only currently disallows login via e-mail address, login is case-sensitive (e.g., "MZ" and "Mz" can be different users). In your experience, is MediaWiki's current authentication architecture following common or best practices? I personally think there's a lot of work needed. MZMcBride

On Thu, Feb 19, 2015 at 6:44 AM, Marc A. Pelletier <marc(a)uberbox.org> wrote: Not that precedent makes it right, but this is possible already with password reset. We assume that if you control x@y, you are entitled to control any accounts with a confirmed email of x@y. If it's limited to accounts with a confirmed email, and the passwords all match, then this isn't an issue (unless I'm misunderstanding your concern). As an attacker, I can't confirm the email of my victim for my account, and it's unlikely that I can set the same password (otherwise I'd just login as them). But those requirements do require hashing the password per user, which does leak timing information when we run this in php with our current password system-- maybe we can find a service to do all the hashing in parallel. But to start, just not allowing that case would cover the 90% (99.9% probably) use case.

Hi all, I'm the one who started that bug-now-task a while back, and for context, it was based directly on user feedback. What MzM says above is right. I was working with a casual (but quite good) editor who said to me "well, I'd edit that Wikipedia page, but I don't edit very often and I can never remember what my login is, since my usual login was taken. But if I could enter my email address, it would be a lot easier and I'd be more likely to just do it." Struck by the idea that this was a barrier to editing, I asked around and got similar feedback from other people, for both public and private mediawikis. So I submitted the bug for consideration. I know it's difficult and there's been a lot of discussion on how to technically do it, but I think the underlying need definitely still exists. thanks, Phoebe On Thu, Feb 19, 2015 at 4:54 AM, Tony Thomas &lt;01tonythomas(a)gmail.com&gt; wrote: -- * I use this address for lists; send personal messages to phoebe.ayers <at> gmail.com *

On 20 February 2015 at 08:52, devunt &lt;devunt(a)gmail.com&gt; wrote: I disagree. This is not an easy problem. We know that. The reason there's been so much talk and so little action on this because we insist on repeating all the reasons why this is hard every time this point is raised, and everyone gets put off. Build something that works for some subset of the use cases first, then we can worry about edge cases and scaling. Dan -- Dan Garry Associate Product Manager, Mobile Apps Wikimedia Foundation

On Fri, Feb 20, 2015 at 9:52 AM, devunt &lt;devunt(a)gmail.com&gt; wrote: Minimum viable product assumption: Given that authentication is attempted with an (email, password) pair When more than one account matches email Then perform one data load and hash comparison to mitigate timing attacks and fail authentication attempt A community education campaign could easily be launched to notify users that this invariant will hold for email based authentication and give instructions on how to change the email associated with an account. The target audience for email based authentication (newer users who think of email addresses as durable tokens of their identity) will not be likely to be effected or even aware of the multiple account disambiguation problem. Bryan -- Bryan Davis Wikimedia Foundation &lt;bd808(a)wikimedia.org&gt; [[m:User:BDavis_(WMF)]] Sr Software Engineer Boise, ID USA irc: bd808 v:415.839.6885 x6855

On Fri, Feb 20, 2015 at 10:56 AM, Gerard Meijssen &lt;gerard.meijssen(a)gmail.com&gt; wrote: This thread is basically a discussion of a proposed MediaWiki feature. See <https://phabricator.wikimedia.org/T30085> for additional context. -- Bryan Davis Wikimedia Foundation &lt;bd808(a)wikimedia.org&gt; [[m:User:BDavis_(WMF)]] Sr Software Engineer Boise, ID USA irc: bd808 v:415.839.6885 x6855

On 20/02/15 17:28, Brion Vibber wrote: Please see https://en.wikipedia.org/wiki/Wikipedia:Sock_puppetry#Legitimate_uses for a non-comprehensive list of use cases for alternate accounts. Requiring separate emails, or expecting users to know that particular trick, would be problematic for many of these, and may even encourage some users to not use an email address at all. -I

Making umbrella backend account could be one of the answers. But implementation of umbrella backend account requires massive user/authentication code updates, table schema changes and massive auto account merges(which accounts have same emails) than other ways. Anyway I think umbrella idea is the most nice one. 2015-02-21 3:51 GMT+09:00 Brion Vibber &lt;bvibber(a)wikimedia.org&gt;rg>: > > I don't know whether that's something to encourage, but it would simplify > those cases. > > -- brion > > > > On Fri, Feb 20, 2015 at 10:45 AM, Isarra Yos &lt;zhorishna(a)gmail.com&gt; wrote: > >> On 20/02/15 17:28, Brion Vibber wrote: >> >>> IMO we should strongly discourage use of multiple accounts with the same >>> email to the point of forbidding it in software for new accounts.[1] >>> >>> Figuring out how to migrate those old accounts is something that needs to >>> be considered and worked out, but it shouldn't hold up work on making the >>> login/reset form accept email addresses for the common case. >>> >>> >>> [1] I personally have a bunch of test accounts that probably have the same >>> email, and I'm sure some folks have bots and other things set up >>> similarly. >>> Note that many email providers including Gmail allow email aliases with >>> "+" >>> and something else after your mailbox name, such as 'johndoe+testing99 at >>> wikimedia.org'; I've used this in the past to have separate accounts on >>> one >>> email for Apple and other providers as well. >>> >>> -- brion >>> >> >> Please see https://en.wikipedia.org/wiki/Wikipedia:Sock_puppetry# >> Legitimate_uses for a non-comprehensive list of use cases for alternate >> accounts. Requiring separate emails, or expecting users to know that >> particular trick, would be problematic for many of these, and may even >> encourage some users to not use an email address at all. >> >> -I >> >> >> _______________________________________________ >> Wikitech-l mailing list >> Wikitech-l(a)lists.wikimedia.org >> https://lists.wikimedia.org/mailman/listinfo/wikitech-l >> > _______________________________________________ > Wikitech-l mailing list > Wikitech-l(a)lists.wikimedia.org > https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Il 20/02/2015 22:29, Gergo Tisza ha scritto: I proposed something like that a couple months ago [1] [1] https://lists.wikimedia.org/pipermail/wikitech-l/2014-December/079831.html

Gergo Tisza wrote: Yep, this is certainly a possibility. It would be great if you and others would edit <https://www.mediawiki.org/wiki/RFC/Login_via_e-mail_address> or at least drop a note on the talk page so that we can consider and address the issues here to come up with clean, secure, and sane solutions. devunt wrote: If this project means basic support for login via e-mail address in MediaWiki, I think there's consensus to implement this feature and it would likely make for a good Google Summer of Code project. However, if the project scope increases to include more than just basic support for login via e-mail address, it's probably not a great candidate for GSoC. MZMcBride

On 19/02/15 16:15, MZMcBride wrote: Emails are case-sensitive as well. platonides@gmail is different than Platonides@gmail and different than PLATONIDES@gmail (for everybody but gmail). (cf. T76169, T75818, T85137) PS: Some people indeed can't remember their own email address.

On Sun, Feb 22, 2015 at 3:33 PM, Platonides &lt;platonides(a)gmail.com&gt; wrote: Hmm. I just tried asking for a password reset with my email [on English Wikipedia] and what I got was a list of temporary passwords for all the accounts associated with that email (a bunch, in my case, since I registered variations on my full name). The email lists the username and the temp password for each account. But yes, it's not clear that link can be used for retrieving login as well as password. Changing the text to 'Forgot your password or login?' could help. (Of course, checking your email and resetting the password is still an extra step for the infrequent editor). -- phoebe p.s. this is an old issue; that was still likely an unfixed bug when I first filed it! -- * I use this address for lists; send personal messages to phoebe.ayers <at> gmail.com *

On Feb 23, 2015 12:06 PM, "Lars Aronsson" &lt;lars(a)aronsson.se&gt; wrote: No, that isn't possible. We can't reveal existence or non-existence of an account with an address. If there's more than one with a given address and we throw that error message then we've revealed something we can't. Multiple accounts match response should be identical to wrong password response and identical to no such email/username response. -Jeremy