Page MenuHomePhabricator

Proposal: allow a second email address (wikimail, password reset, notifications)
Open, Needs TriagePublicFeature

Assigned To
None
Authored By
Gradzeichen
Mar 12 2016, 3:08 PM
Referenced Files
F4709676: Signup.PNG
Nov 9 2016, 12:20 PM
F3621210: mockup-proposal-2emails--preferences-email.png
Mar 12 2016, 3:08 PM
F3621213: mockup-proposal-2emails--preferences-notifications.png
Mar 12 2016, 3:08 PM
F3621219: mockup-proposal-2emails--change-email-2.png
Mar 12 2016, 3:08 PM
F3621221: mockup-proposal-2emails--change-email-3.png
Mar 12 2016, 3:08 PM
Tokens
"Like" token, awarded by ToBeFree."Like" token, awarded by Liuxinyu970226."Barnstar" token, awarded by Arian_Ar."Like" token, awarded by Danny_B."Like" token, awarded by Luke081515.

Description

The same email address is used for wikimail and password recovery.

For password recovery an address with a secure mail provider is a good choice. For wikimail on the other hand a throw-away-mail-address, that can be easily replaced, if it becomes known to a stalker or the public, makes more sense. This is especially true for accounts with additional rights and prolific authors. These groups cannot work without wikimail and are unlikely to abstain from the possibilty to recover a lost password.

I propose the following: Add the option to specify a second email address in the preferences for all users.

Add the following global preferences (email and password are already global):

  • checkboxes to select what email address to use with wikimail or none at all
  • checkboxes to select what email address to use for password recovery or none at all
    • if both boxes are checked, different temporary passwords are sent to both addresses and both are needed to login
  • checkboxes to select what email address to use for echo and other notifications
  • in a more ambitious additional approach the local echo preferences could allow the configuration of every notification type to be sent onwiki, to first address, to second address
  • checkboxes to send a TAN to either of the adresses on login (achieving a cheap way of 2FA, at least until true 2FA is implemented)

In a given time frame only one email address can be changed. A confirm message is sent to the new address and additionally a "cancel the change" message is sent to the other unchanged address.

The option of two addresses would allow the use of a throw-away-email-address for wikimail. So if this address becomes known to a stalker, you can simply change this address, while keeping your secret secure email address for all other uses.

Nothing changes for any user who does not specify an email address or stays with one address.

mockup-proposal-2emails--preferences-email.png (1×1 px, 171 KB)
mockup-proposal-2emails--preferences-notifications.png (1×1 px, 131 KB)
mockup-proposal-2emails--change-email-2.png (739×1 px, 82 KB)
mockup-proposal-2emails--change-email-3.png (739×1 px, 82 KB)
Signup.PNG (616×1 px, 154 KB)

Event Timeline

Restricted Application added a subscriber: Aklapper. · View Herald Transcript

I think there might be problems with the current description line

  • if both boxes are checked, different temporary passwords are sent to both addresses and both are needed to login

because sometimes a user will lose access to one of their accounts for legitimate reason, e.g. they stopped using that ISP, or stopped attending that college, or stopped working at that company.

Also, this would make it harder to recover from email-account compromises, if the cracker could then prevent the actual owner from resetting their password.

However, this could potentially be resolved by clear documentation in the Preferences page, explaining the potential problems that might be encountered if this option is used? (aimed at non-technical users who enable things like this just because it sounds "safer" to them, without considering/understanding all the far-reaching consequences)

Also, I am not a security expert, and might have misunderstood some details.

because sometimes a user will lose access to one of their accounts for legitimate reason, e.g. they stopped using that ISP, or stopped attending that college, or stopped working at that company.

While this is true, it would stil be better than the status quo: With only one mail address, a user who loses this mail address, has no way to recover a password, as server admins have no way to identify the user. With two addresses, there is at least in principle a way to manually verify the users identity.

Way too many preferences are proposed here (cf. T64559), certainly a lighter proposal is needed.

Just noting that there is no way we could afford a usability debacle such as this absurdly complicated interface:

Signup.PNG (616×1 px, 154 KB)

The obvious route to me would be to advise people on registration that they can provide a second email address in their preferences after they've finished registering and logged in, and then provide further advisement on the preferences page. The level of configurability suggested also seems like gross overengineering; the baseline should be that one email address serves as the recovery address, while the other serves to receive communications emails (enotifs, Special:EmailUser emails, etc.). Any level of configurability beyond that should only be undertaken with care, probably with a clear demonstration of need.

I agree that this probably shouldn't be present on account registration, and we'll need a way to keep the email preferences somewhat sane.

I believe this proposal has merit, and I think it should be evaluated in the Wishlist as a concept rather than on the exact specified feature.

I see some benefit in storing multiple email addresses per account (and if there are several validated emails, the source one could be selectable at Special:EmailUser), but mainly for the case when an email is no longer available.

The proposal as stated is a preference nightmare. And really, all these flexibility for where to send the different notifications can already be handled by using filters at your email account. Which is probably the right place. You only need to filter which kind of notification it is¹ and depending on that forward to another email address (or simply file on a different folder!). Including deleting anything that doesn't come from a trusted/whitelisted source (for the case where "it becomes known to a stalker or the public")².

¹ Please file bugs if they do not provide the required headers to do that

² Note that I don't think that "discarding an email address" (either by deleting most incoming email or no longer signing in) is generally a suitable option, given that it also loses legitimate emails that you would want to receive.

The motivation for this feature was to keep the private email address hidden, when sending email on-wiki. This can be achieved with an alternative solution that is simpler for the user, but might complicate configuring the server a bit.
A common solution to this problem is to give a wiki email address to users (such as username@en.wikipedia.org), and forward/proxy emails to the private address.
Emails sent on-wiki have the header field From: username@en.wikipedia.org
Replies (and any email) sent to username@en.wikipedia.org are only accepted from confirmed user email addresses (SPF / DKIM fields checked). This identifies the sender's username2 account.
The body of the email and a few header fields (Subject, Date, Content-Type, Content-Transfer-Encoding) are sent to the user's private address with Sender: username2@en.wikipedia.org
As a result editors only see the username of the sender. It's up to the editors to share their private email address, if they choose to.
"en.wikipedia.org" can be any wiki instance.

This solution has the added configuration burden for the sysadmin to set up incoming mail. This should not be a significant burden.
Benefit to users: no confusing secondary email configuration. "Which one I use for what feature?" The name "Auxiliary" would sound alien for the everyday user.

@AronManning when forwarding to/from wikipedia.org was proposed first in the wishlist survey, I raised the following question:

Wikipedia is supposed to be an international project. By the legislation of one or more state in the world forwarding mail may be considered offering a mail service, which by some legislation requires the mail provider to verify the mail user by the user providing a telephone number or a surface mail address.

At that point a WMF employee said, he would have checked that by wikimedia-legal. I do not know, if this legal check was actually done and to what result.

Actually to me it does not matter, if my proposed solution, or any variation of it, or an email forwarder, or a personal message system based on talk pages or flow or irc or anything else gets chosen and implemented. As long as anything is done.

The project suffers strongly from people not asking questions, because they do not want to expose their email in wikimail and people not answering questions sent by wikimail, because they do not want to expose their email address.

I believe that having this option would greatly improve user security. It is much harder to break into someone's account when you don't know the login. With more and more Wikimedians being targeted by governments and other malicious actors, it is imperative that we allow people to raise their defences as much as possible.

Aklapper changed the subtype of this task from "Task" to "Feature Request".Sep 23 2023, 1:32 PM