On 10/07/2015 03:48, Nicholas Alexander wrote: > On Wed, Jul 8, 2015 at 9:59 PM, Ryan Kelly <[email protected] > <mailto:[email protected]>> wrote: > > > > This is heading towards something deeper about our onboarding flow that > > it may be time to revisit - there's a big old email verification loop in > > the middle of it. > > > > Would this discussion be different if we allowed you to complete sync > > setup without verifying your email address? > > Anyway, I don't want to get myself too carried away here, but it's > something to think about as you're discussing all the options with > growth/engagement/etc teams. I've been pondering the technical and > security aspects of doing this for a while, > > > Can we lay out the technical and security aspects here?
The two I've heard most frequently are both to do with the wrong people gaining access to the wrong data. On the malicious side, we have to make sure that operating with an unverified email address doesn't give you access to any of the data belonging to the owner of that email address. This isn't necessarily a problem for sync, where your data is all tied to your FxA ID rather than your email. But it could be for FxA-authenticated access to e.g. Marketplace or Pocket. On the accidental side, we have to make sure that accidentally using the wrong email doesn't expose your data. For example, suppose I sign up for sync but typo my email address as "[email protected]", and sync a bunch of data into that account. You could now get at my synced data by doing a password reset on that account (modulo encryption keys of course). I'd love to hear additional scenarios or concerns. > I've always assumed the email verification loop was necessary to stop > folks auto-creating accounts and then using our storage endpoints as > file drops. IMHO the verification loop is no serious impediment to auto-creating accounts. We routinely automate it for our own testing purposes. Also I don't believe the old sync put any effort into email verification. But this is a good point, and we'd need to check on legal or policy requirements here. > It's much harder to automate the web flow: if we made it so > that the web flow didn't require an email loop (but the REST endpoint > still did), would that be enough? Sorry, I don't really understand what this means. Cheers, Ryan _______________________________________________ Dev-fxacct mailing list [email protected] https://mail.mozilla.org/listinfo/dev-fxacct
