E-mail login to wiki - needs feedback

classic Classic list List threaded Threaded
33 messages Options
12
Reply | Threaded
Open this post in threaded view
|

E-mail login to wiki - needs feedback

Tony Thomas
Hello,

Before someone starts with a proposal for the proposed-tech-project 'Allow
user login with e-mail address'[1], is there still community consensus for
the same ? I personally think its a must-have for MediaWiki, as e-mail
address is easy to remember than a complex username. Currently multiple
users can sign-up with the same e-mail id - which would possibly be a
blocker, and can be fixed. Thanks to MzMcbride, we have an RFC[2] too on
the same.

[1] https://phabricator.wikimedia.org/T30085
[2]
https://www.mediawiki.org/wiki/Requests_for_comment/Login_via_e-mail_address

Thanks,
Tony Thomas <http://tttwrites.wordpress.com/>
FOSS@Amrita <http://foss.amrita.ac.in>

*"where there is a wifi, there is a way"*
_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: E-mail login to wiki - needs feedback

Tyler Romeo
I've said this previously, but I believe the only controversial part of
this change is ensuring the security and privacy of email addresses.

All this involves is constructing a process where every login,
regardless of the identifier and regardless of the database state,
always performs one and exactly one database query and one and exactly
one password hashing.

On 2/19/15 07:54, Tony Thomas wrote:

> Hello,
>
> Before someone starts with a proposal for the proposed-tech-project 'Allow
> user login with e-mail address'[1], is there still community consensus for
> the same ? I personally think its a must-have for MediaWiki, as e-mail
> address is easy to remember than a complex username. Currently multiple
> users can sign-up with the same e-mail id - which would possibly be a
> blocker, and can be fixed. Thanks to MzMcbride, we have an RFC[2] too on
> the same.
>
> [1] https://phabricator.wikimedia.org/T30085
> [2]
> https://www.mediawiki.org/wiki/Requests_for_comment/Login_via_e-mail_address
>
> Thanks,
> Tony Thomas <http://tttwrites.wordpress.com/>
> FOSS@Amrita <http://foss.amrita.ac.in>
>
> *"where there is a wifi, there is a way"*
> _______________________________________________
> Wikitech-l mailing list
> [hidden email]
> https://lists.wikimedia.org/mailman/listinfo/wikitech-l


_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

signature.asc (900 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: E-mail login to wiki - needs feedback

Daniel Friesen-2
I described an alternate idea on how to avoid timing attacks without
limiting it to one account per address.
https://www.mediawiki.org/wiki/Thread:Talk:Requests_for_comment/Login_via_e-mail_address/Timing_attacks_on_emails_with_multiple_accounts

~Daniel Friesen (Dantman, Nadir-Seen-Fire) [http://danielfriesen.name/]

On 2015-02-19 5:27 AM, Tyler Romeo wrote:

> I've said this previously, but I believe the only controversial part of
> this change is ensuring the security and privacy of email addresses.
>
> All this involves is constructing a process where every login,
> regardless of the identifier and regardless of the database state,
> always performs one and exactly one database query and one and exactly
> one password hashing.
>
> On 2/19/15 07:54, Tony Thomas wrote:
>> Hello,
>>
>> Before someone starts with a proposal for the proposed-tech-project 'Allow
>> user login with e-mail address'[1], is there still community consensus for
>> the same ? I personally think its a must-have for MediaWiki, as e-mail
>> address is easy to remember than a complex username. Currently multiple
>> users can sign-up with the same e-mail id - which would possibly be a
>> blocker, and can be fixed. Thanks to MzMcbride, we have an RFC[2] too on
>> the same.
>>
>> [1] https://phabricator.wikimedia.org/T30085
>> [2]
>> https://www.mediawiki.org/wiki/Requests_for_comment/Login_via_e-mail_address
>>
>> Thanks,
>> Tony Thomas <http://tttwrites.wordpress.com/>
>> FOSS@Amrita <http://foss.amrita.ac.in>
>>
>> *"where there is a wifi, there is a way"*
>> _______________________________________________
>> Wikitech-l mailing list
>> [hidden email]
>> https://lists.wikimedia.org/mailman/listinfo/wikitech-l
>
>
>
> _______________________________________________
> Wikitech-l mailing list
> [hidden email]
> https://lists.wikimedia.org/mailman/listinfo/wikitech-l

_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: E-mail login to wiki - needs feedback

Tyler Romeo
I would rather avoid this approach, because it involves running multiple
(sometimes as many as 5) password hashing operations. The idea of our
current key stretching with bcrypt is that the strength parameter should
be just large enough to not affect UX. But if we're running the hash
many times, now we have to reduce the bcrypt strength, and as a result
reduce our defenses against other attacks.

If we just always check one email address, not only do we fulfill most
users' use cases (a single account with their email), but we avoid
adopting any complicated cryptosystem and keep our password hashing as
simple as possible.

--
Tyler Romeo

On 2/19/15 08:36, Daniel Friesen wrote:

> I described an alternate idea on how to avoid timing attacks without
> limiting it to one account per address.
> https://www.mediawiki.org/wiki/Thread:Talk:Requests_for_comment/Login_via_e-mail_address/Timing_attacks_on_emails_with_multiple_accounts
>
> ~Daniel Friesen (Dantman, Nadir-Seen-Fire) [http://danielfriesen.name/]
>
> On 2015-02-19 5:27 AM, Tyler Romeo wrote:
>> I've said this previously, but I believe the only controversial part of
>> this change is ensuring the security and privacy of email addresses.
>>
>> All this involves is constructing a process where every login,
>> regardless of the identifier and regardless of the database state,
>> always performs one and exactly one database query and one and exactly
>> one password hashing.
>>
>> On 2/19/15 07:54, Tony Thomas wrote:
>>> Hello,
>>>
>>> Before someone starts with a proposal for the proposed-tech-project 'Allow
>>> user login with e-mail address'[1], is there still community consensus for
>>> the same ? I personally think its a must-have for MediaWiki, as e-mail
>>> address is easy to remember than a complex username. Currently multiple
>>> users can sign-up with the same e-mail id - which would possibly be a
>>> blocker, and can be fixed. Thanks to MzMcbride, we have an RFC[2] too on
>>> the same.
>>>
>>> [1] https://phabricator.wikimedia.org/T30085
>>> [2]
>>> https://www.mediawiki.org/wiki/Requests_for_comment/Login_via_e-mail_address
>>>
>>> Thanks,
>>> Tony Thomas <http://tttwrites.wordpress.com/>
>>> FOSS@Amrita <http://foss.amrita.ac.in>
>>>
>>> *"where there is a wifi, there is a way"*
>>> _______________________________________________
>>> Wikitech-l mailing list
>>> [hidden email]
>>> https://lists.wikimedia.org/mailman/listinfo/wikitech-l
>>
>>
>> _______________________________________________
>> Wikitech-l mailing list
>> [hidden email]
>> https://lists.wikimedia.org/mailman/listinfo/wikitech-l
> _______________________________________________
> Wikitech-l mailing list
> [hidden email]
> https://lists.wikimedia.org/mailman/listinfo/wikitech-l


_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

signature.asc (900 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: E-mail login to wiki - needs feedback

MZMcBride-2
In reply to this post by Tony Thomas
Tony Thomas wrote:
>Before someone starts with a proposal for the proposed-tech-project 'Allow
>user login with e-mail address'[1], is there still community consensus for
>the same ? I personally think its a must-have for MediaWiki, as e-mail
>address is easy to remember than a complex username. [...]
>
>[1] https://phabricator.wikimedia.org/T30085

Hi.

Yes, I believe there's consensus to implement this feature. It's
incredibly common practice on the Web to allow login via e-mail address.
MediaWiki fortunately already supports storing and authenticating e-mail
addresses, so the work to allow login via e-mail address hopefully
shouldn't be too difficult. The tricky parts are that e-mail addresses are
considered private information and there's no requirement that e-mail
addresses be unique in the user table.

As you mention, there are many instances of multiple users using the same
e-mail address. As part of a first iteration, we'd likely simply disallow
login via e-mail address for the ambiguous cases. In a second or third
iteration, we'd ideally have an intermediate post-login screen that allows
the user to select an account to use.

This account selector may also one day tie in with the idea of having an
account switcher (i.e., the ability to easily switch between multiple
accounts without needing to log out and re-authenticate). However, these
are tangential features that quickly start to get a lot more complicated
when you consider single user login and its cross-domain magic, login
sessions, cookies, etc.

MZMcBride



_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: E-mail login to wiki - needs feedback

Marc-Andre
On 15-02-19 09:27 AM, MZMcBride wrote:
> n a second or third
> iteration, we'd ideally have an intermediate post-login screen that allows
> the user to select an account to use.

That would be a catastrophe, from a privacy standpoint; even if we
restrict this to verified email addresses, there is no possible
guarantee that the person who controled email address x@y in the past is
the person who controls it today.

It would also have horrid security implication if you allow further
creation of accounts sharing an email (which would be necessary to make
that feature useful): create an account with the email of someone you
want to find the Wikimedia account of, log in, be presented with the
accounts.

-- Marc


_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: E-mail login to wiki - needs feedback

Bináris
In reply to this post by Tony Thomas
2015-02-19 13:54 GMT+01:00 Tony Thomas <[hidden email]>:

>  I personally think its a must-have for MediaWiki, as e-mail
> address is easy to remember than a complex username.


I think everybody has the chance to choose as simple username as they can
remember. It's not nuclear physics or cerebral surgery.
Where am I wrong?
_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: E-mail login to wiki - needs feedback

MZMcBride-2
In reply to this post by Marc-Andre
Marc A. Pelletier wrote:
>On 15-02-19 09:27 AM, MZMcBride wrote:
>>In a second or third iteration, we'd ideally have an intermediate
>>post-login screen that allows the user to select an account to use.
>
>That would be a catastrophe, from a privacy standpoint; even if we
>restrict this to verified email addresses, there is no possible
>guarantee that the person who controled email address x@y in the past is
>the person who controls it today.

My understanding is that this intermediate screen would only trigger if an
account is using both the same verified e-mail address _and_ the same
password. I don't believe there's any privilege escalation or privacy
concern to allow users to login to multiple accounts that share an e-mail
address (considered private/secret) and that share a password, which are
the two inputs we'd be accepting during user login.

It's checking multiple passwords that starts to introduce a lot more
concerns about timing attacks, as I understand it. This is a hard problem,
as we typically want password verification to be relatively slow.

That said, these types of concerns that you're raising are fantastic to
consider and discuss (thank you!). I think we need a lot of scrutiny in
this area to ensure that we implement a sane, secure solution.

>It would also have horrid security implication if you allow further
>creation of accounts sharing an email (which would be necessary to make
>that feature useful): create an account with the email of someone you
>want to find the Wikimedia account of, log in, be presented with the
>accounts.

Same as above, I think. :-)

MZMcBride



_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: E-mail login to wiki - needs feedback

MZMcBride-2
In reply to this post by Bináris
Bináris wrote:
>2015-02-19 13:54 GMT+01:00 Tony Thomas <[hidden email]>:
>>I personally think its a must-have for MediaWiki, as e-mail
>> address is easy to remember than a complex username.
>
>I think everybody has the chance to choose as simple username as they can
>remember. It's not nuclear physics or cerebral surgery.
>Where am I wrong?

It's not a matter of choosing a single, simple user name, per se, it's
choosing a user name on Wikimedia wikis, on Twitter, on Facebook, on
Gmail, on GitHub, and on a million other sites on the Web. Yes, users
should choose memorable user names and secure passwords on each site and
never forget them, but that isn't the world we live in. We dramatically
reduce our barrier to entry by allowing login via e-mail address as users
can typically remember their own e-mail address. Do you disagree?

MediaWiki not only currently disallows login via e-mail address, login is
case-sensitive (e.g., "MZ" and "Mz" can be different users). In your
experience, is MediaWiki's current authentication architecture following
common or best practices? I personally think there's a lot of work needed.

MZMcBride



_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: E-mail login to wiki - needs feedback

devunt
Note: As the assignee of T30085 and also as main contributor of RfC,
I'll create a patch when proper consensus completed.

_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: E-mail login to wiki - needs feedback

Chris Steipp
In reply to this post by Marc-Andre
On Thu, Feb 19, 2015 at 6:44 AM, Marc A. Pelletier <[hidden email]> wrote:
> That would be a catastrophe, from a privacy standpoint; even if we restrict
> this to verified email addresses, there is no possible guarantee that the
> person who controled email address x@y in the past is the person who
> controls it today.

Not that precedent makes it right, but this is possible already with
password reset. We assume that if you control x@y, you are entitled to
control any accounts with a confirmed email of x@y.

> It would also have horrid security implication if you allow further creation
> of accounts sharing an email (which would be necessary to make that feature
> useful): create an account with the email of someone you want to find the
> Wikimedia account of, log in, be presented with the accounts.

If it's limited to accounts with a confirmed email, and the passwords
all match, then this isn't an issue (unless I'm misunderstanding your
concern). As an attacker, I can't confirm the email of my victim for
my account, and it's unlikely that I can set the same password
(otherwise I'd just login as them).

But those requirements do require hashing the password per user, which
does leak timing information when we run this in php with our current
password system-- maybe we can find a service to do all the hashing in
parallel. But to start, just not allowing that case would cover the
90% (99.9% probably) use case.

_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: E-mail login to wiki - needs feedback

Dan Garry
In reply to this post by Tony Thomas
On Thursday, February 19, 2015, Tony Thomas <[hidden email]> wrote:

> I personally think its a must-have for MediaWiki, as e-mail
> address is easy to remember than a complex username.


It's also important because users of mobile devices are very used to this
design pattern for logging in to apps, and having it in the mobile apps is
blocked by not having it in MediaWiki.


> Currently multiple
> users can sign-up with the same e-mail id - which would possibly be a
> blocker, and can be fixed.
>

I wouldn't even try to tackle that problem for a first pass at this.

If we can get login with username working for the case where there is a
one-to-one match between email and password, that's a *huge* step forwards.
The many-to-one case can follow afterwards.

Dan


--
Dan Garry
Associate Product Manager, Mobile Apps
Wikimedia Foundation
_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: E-mail login to wiki - needs feedback

phoebe ayers-3
In reply to this post by Tony Thomas
Hi all,

I'm the one who started that bug-now-task a while back, and for
context, it was based directly on user feedback. What MzM says above
is right. I was working with a casual (but quite good) editor who said
to me "well, I'd edit that Wikipedia page, but I don't edit very often
and I can never remember what my login is, since my usual login was
taken. But if I could enter my email address, it would be a lot easier
and I'd be more likely to just do it."

Struck by the idea that this was a barrier to editing, I asked around
and got similar feedback from other people, for both public and
private mediawikis. So I submitted the bug for consideration. I know
it's difficult and there's been a lot of discussion on how to
technically do it, but I think the underlying need definitely still
exists.

thanks,
Phoebe


On Thu, Feb 19, 2015 at 4:54 AM, Tony Thomas <[hidden email]> wrote:

> Hello,
>
> Before someone starts with a proposal for the proposed-tech-project 'Allow
> user login with e-mail address'[1], is there still community consensus for
> the same ? I personally think its a must-have for MediaWiki, as e-mail
> address is easy to remember than a complex username. Currently multiple
> users can sign-up with the same e-mail id - which would possibly be a
> blocker, and can be fixed. Thanks to MzMcbride, we have an RFC[2] too on
> the same.
>
> [1] https://phabricator.wikimedia.org/T30085
> [2]
> https://www.mediawiki.org/wiki/Requests_for_comment/Login_via_e-mail_address
>
> Thanks,
> Tony Thomas <http://tttwrites.wordpress.com/>
> FOSS@Amrita <http://foss.amrita.ac.in>
>
> *"where there is a wifi, there is a way"*
> _______________________________________________
> Wikitech-l mailing list
> [hidden email]
> https://lists.wikimedia.org/mailman/listinfo/wikitech-l



--
* I use this address for lists; send personal messages to phoebe.ayers
<at> gmail.com *

_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: E-mail login to wiki - needs feedback

devunt
We should consider some edge cases like:

* More than two accounts with exactly same email and password.
-> In this case, which account should be chosen for logged-in? Maybe
account selector could be one of the answers.

* If there's a 42 accounts with same email.
-> Should mediawiki try to check password forty two times? It will
takes _very_ long time as enough to cause gateway timeout. Which means
nobody can log in to that account.
-> To avoid timing attack completely, should mediawiki calculate hash
of all users forty two times as same as above user?

2015-02-20 8:58 GMT+09:00 phoebe ayers <[hidden email]>:

> Hi all,
>
> I'm the one who started that bug-now-task a while back, and for
> context, it was based directly on user feedback. What MzM says above
> is right. I was working with a casual (but quite good) editor who said
> to me "well, I'd edit that Wikipedia page, but I don't edit very often
> and I can never remember what my login is, since my usual login was
> taken. But if I could enter my email address, it would be a lot easier
> and I'd be more likely to just do it."
>
> Struck by the idea that this was a barrier to editing, I asked around
> and got similar feedback from other people, for both public and
> private mediawikis. So I submitted the bug for consideration. I know
> it's difficult and there's been a lot of discussion on how to
> technically do it, but I think the underlying need definitely still
> exists.
>
> thanks,
> Phoebe
>
>
> On Thu, Feb 19, 2015 at 4:54 AM, Tony Thomas <[hidden email]> wrote:
>> Hello,
>>
>> Before someone starts with a proposal for the proposed-tech-project 'Allow
>> user login with e-mail address'[1], is there still community consensus for
>> the same ? I personally think its a must-have for MediaWiki, as e-mail
>> address is easy to remember than a complex username. Currently multiple
>> users can sign-up with the same e-mail id - which would possibly be a
>> blocker, and can be fixed. Thanks to MzMcbride, we have an RFC[2] too on
>> the same.
>>
>> [1] https://phabricator.wikimedia.org/T30085
>> [2]
>> https://www.mediawiki.org/wiki/Requests_for_comment/Login_via_e-mail_address
>>
>> Thanks,
>> Tony Thomas <http://tttwrites.wordpress.com/>
>> FOSS@Amrita <http://foss.amrita.ac.in>
>>
>> *"where there is a wifi, there is a way"*
>> _______________________________________________
>> Wikitech-l mailing list
>> [hidden email]
>> https://lists.wikimedia.org/mailman/listinfo/wikitech-l
>
>
>
> --
> * I use this address for lists; send personal messages to phoebe.ayers
> <at> gmail.com *
>
> _______________________________________________
> Wikitech-l mailing list
> [hidden email]
> https://lists.wikimedia.org/mailman/listinfo/wikitech-l

_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: E-mail login to wiki - needs feedback

Dan Garry
On 20 February 2015 at 08:52, devunt <[hidden email]> wrote:

> We should consider some edge cases like:
>

I disagree.

This is not an easy problem. We know that. The reason there's been so much
talk and so little action on this because we insist on repeating all the
reasons why this is hard every time this point is raised, and everyone gets
put off.

Build something that works for some subset of the use cases first, then we
can worry about edge cases and scaling.

Dan

--
Dan Garry
Associate Product Manager, Mobile Apps
Wikimedia Foundation
_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: E-mail login to wiki - needs feedback

Brion Vibber-4
IMO we should strongly discourage use of multiple accounts with the same
email to the point of forbidding it in software for new accounts.[1]

Figuring out how to migrate those old accounts is something that needs to
be considered and worked out, but it shouldn't hold up work on making the
login/reset form accept email addresses for the common case.


[1] I personally have a bunch of test accounts that probably have the same
email, and I'm sure some folks have bots and other things set up similarly.
Note that many email providers including Gmail allow email aliases with "+"
and something else after your mailbox name, such as 'johndoe+testing99 at
wikimedia.org'; I've used this in the past to have separate accounts on one
email for Apple and other providers as well.

-- brion



On Fri, Feb 20, 2015 at 9:06 AM, Dan Garry <[hidden email]> wrote:

> On 20 February 2015 at 08:52, devunt <[hidden email]> wrote:
>
> > We should consider some edge cases like:
> >
>
> I disagree.
>
> This is not an easy problem. We know that. The reason there's been so much
> talk and so little action on this because we insist on repeating all the
> reasons why this is hard every time this point is raised, and everyone gets
> put off.
>
> Build something that works for some subset of the use cases first, then we
> can worry about edge cases and scaling.
>
> Dan
>
> --
> Dan Garry
> Associate Product Manager, Mobile Apps
> Wikimedia Foundation
> _______________________________________________
> Wikitech-l mailing list
> [hidden email]
> https://lists.wikimedia.org/mailman/listinfo/wikitech-l
>
_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: E-mail login to wiki - needs feedback

Bryan Davis
In reply to this post by devunt
On Fri, Feb 20, 2015 at 9:52 AM, devunt <[hidden email]> wrote:

> We should consider some edge cases like:
>
> * More than two accounts with exactly same email and password.
> -> In this case, which account should be chosen for logged-in? Maybe
> account selector could be one of the answers.
>
> * If there's a 42 accounts with same email.
> -> Should mediawiki try to check password forty two times? It will
> takes _very_ long time as enough to cause gateway timeout. Which means
> nobody can log in to that account.
> -> To avoid timing attack completely, should mediawiki calculate hash
> of all users forty two times as same as above user?

Minimum viable product assumption:

Given that authentication is attempted with an (email, password) pair
When more than one account matches email
Then perform one data load and hash comparison to mitigate timing attacks
and fail authentication attempt

A community education campaign could easily be launched to notify
users that this invariant will hold for email based authentication and
give instructions on how to change the email associated with an
account. The target audience for email based authentication (newer
users who think of email addresses as durable tokens of their
identity) will not be likely to be effected or even aware of the
multiple account disambiguation problem.

Bryan
--
Bryan Davis              Wikimedia Foundation    <[hidden email]>
[[m:User:BDavis_(WMF)]]  Sr Software Engineer            Boise, ID USA
irc: bd808                                        v:415.839.6885 x6855

_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: E-mail login to wiki - needs feedback

Gerard Meijssen-3
Hoi,
I have been at Meta ... I do not see it, I do not understand it .. What
should I do to enable this ?
Thanks,
     GerardM

On 20 February 2015 at 18:53, Bryan Davis <[hidden email]> wrote:

> On Fri, Feb 20, 2015 at 9:52 AM, devunt <[hidden email]> wrote:
> > We should consider some edge cases like:
> >
> > * More than two accounts with exactly same email and password.
> > -> In this case, which account should be chosen for logged-in? Maybe
> > account selector could be one of the answers.
> >
> > * If there's a 42 accounts with same email.
> > -> Should mediawiki try to check password forty two times? It will
> > takes _very_ long time as enough to cause gateway timeout. Which means
> > nobody can log in to that account.
> > -> To avoid timing attack completely, should mediawiki calculate hash
> > of all users forty two times as same as above user?
>
> Minimum viable product assumption:
>
> Given that authentication is attempted with an (email, password) pair
> When more than one account matches email
> Then perform one data load and hash comparison to mitigate timing attacks
> and fail authentication attempt
>
> A community education campaign could easily be launched to notify
> users that this invariant will hold for email based authentication and
> give instructions on how to change the email associated with an
> account. The target audience for email based authentication (newer
> users who think of email addresses as durable tokens of their
> identity) will not be likely to be effected or even aware of the
> multiple account disambiguation problem.
>
> Bryan
> --
> Bryan Davis              Wikimedia Foundation    <[hidden email]>
> [[m:User:BDavis_(WMF)]]  Sr Software Engineer            Boise, ID USA
> irc: bd808                                        v:415.839.6885 x6855
>
> _______________________________________________
> Wikitech-l mailing list
> [hidden email]
> https://lists.wikimedia.org/mailman/listinfo/wikitech-l
>
_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: E-mail login to wiki - needs feedback

Bryan Davis
On Fri, Feb 20, 2015 at 10:56 AM, Gerard Meijssen
<[hidden email]> wrote:
> Hoi,
> I have been at Meta ... I do not see it, I do not understand it .. What
> should I do to enable this ?
> Thanks,
>      GerardM

This thread is basically a discussion of a proposed MediaWiki feature.
See <https://phabricator.wikimedia.org/T30085> for additional context.


> On 20 February 2015 at 18:53, Bryan Davis <[hidden email]> wrote:
>
>> On Fri, Feb 20, 2015 at 9:52 AM, devunt <[hidden email]> wrote:
>> > We should consider some edge cases like:
>> >
>> > * More than two accounts with exactly same email and password.
>> > -> In this case, which account should be chosen for logged-in? Maybe
>> > account selector could be one of the answers.
>> >
>> > * If there's a 42 accounts with same email.
>> > -> Should mediawiki try to check password forty two times? It will
>> > takes _very_ long time as enough to cause gateway timeout. Which means
>> > nobody can log in to that account.
>> > -> To avoid timing attack completely, should mediawiki calculate hash
>> > of all users forty two times as same as above user?
>>
>> Minimum viable product assumption:
>>
>> Given that authentication is attempted with an (email, password) pair
>> When more than one account matches email
>> Then perform one data load and hash comparison to mitigate timing attacks
>> and fail authentication attempt
>>
>> A community education campaign could easily be launched to notify
>> users that this invariant will hold for email based authentication and
>> give instructions on how to change the email associated with an
>> account. The target audience for email based authentication (newer
>> users who think of email addresses as durable tokens of their
>> identity) will not be likely to be effected or even aware of the
>> multiple account disambiguation problem.
>>
>> Bryan
>> --
>> Bryan Davis              Wikimedia Foundation    <[hidden email]>
>> [[m:User:BDavis_(WMF)]]  Sr Software Engineer            Boise, ID USA
>> irc: bd808                                        v:415.839.6885 x6855
>>
>> _______________________________________________
>> Wikitech-l mailing list
>> [hidden email]
>> https://lists.wikimedia.org/mailman/listinfo/wikitech-l
>>
> _______________________________________________
> Wikitech-l mailing list
> [hidden email]
> https://lists.wikimedia.org/mailman/listinfo/wikitech-l



--
Bryan Davis              Wikimedia Foundation    <[hidden email]>
[[m:User:BDavis_(WMF)]]  Sr Software Engineer            Boise, ID USA
irc: bd808                                        v:415.839.6885 x6855

_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: E-mail login to wiki - needs feedback

devunt
> Build something that works for some subset of the use cases first, then we
> can worry about edge cases and scaling.

Before starting code, is this project have no chance to selection for
GSoC 2015? I want to attend the GSoC 2015 with this project if
available.

2015-02-21 3:00 GMT+09:00 Bryan Davis <[hidden email]>:

> On Fri, Feb 20, 2015 at 10:56 AM, Gerard Meijssen
> <[hidden email]> wrote:
>> Hoi,
>> I have been at Meta ... I do not see it, I do not understand it .. What
>> should I do to enable this ?
>> Thanks,
>>      GerardM
>
> This thread is basically a discussion of a proposed MediaWiki feature.
> See <https://phabricator.wikimedia.org/T30085> for additional context.
>
>
>> On 20 February 2015 at 18:53, Bryan Davis <[hidden email]> wrote:
>>
>>> On Fri, Feb 20, 2015 at 9:52 AM, devunt <[hidden email]> wrote:
>>> > We should consider some edge cases like:
>>> >
>>> > * More than two accounts with exactly same email and password.
>>> > -> In this case, which account should be chosen for logged-in? Maybe
>>> > account selector could be one of the answers.
>>> >
>>> > * If there's a 42 accounts with same email.
>>> > -> Should mediawiki try to check password forty two times? It will
>>> > takes _very_ long time as enough to cause gateway timeout. Which means
>>> > nobody can log in to that account.
>>> > -> To avoid timing attack completely, should mediawiki calculate hash
>>> > of all users forty two times as same as above user?
>>>
>>> Minimum viable product assumption:
>>>
>>> Given that authentication is attempted with an (email, password) pair
>>> When more than one account matches email
>>> Then perform one data load and hash comparison to mitigate timing attacks
>>> and fail authentication attempt
>>>
>>> A community education campaign could easily be launched to notify
>>> users that this invariant will hold for email based authentication and
>>> give instructions on how to change the email associated with an
>>> account. The target audience for email based authentication (newer
>>> users who think of email addresses as durable tokens of their
>>> identity) will not be likely to be effected or even aware of the
>>> multiple account disambiguation problem.
>>>
>>> Bryan
>>> --
>>> Bryan Davis              Wikimedia Foundation    <[hidden email]>
>>> [[m:User:BDavis_(WMF)]]  Sr Software Engineer            Boise, ID USA
>>> irc: bd808                                        v:415.839.6885 x6855
>>>
>>> _______________________________________________
>>> Wikitech-l mailing list
>>> [hidden email]
>>> https://lists.wikimedia.org/mailman/listinfo/wikitech-l
>>>
>> _______________________________________________
>> Wikitech-l mailing list
>> [hidden email]
>> https://lists.wikimedia.org/mailman/listinfo/wikitech-l
>
>
>
> --
> Bryan Davis              Wikimedia Foundation    <[hidden email]>
> [[m:User:BDavis_(WMF)]]  Sr Software Engineer            Boise, ID USA
> irc: bd808                                        v:415.839.6885 x6855
>
> _______________________________________________
> Wikitech-l mailing list
> [hidden email]
> https://lists.wikimedia.org/mailman/listinfo/wikitech-l

_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
12