On Wed, Feb 1, 2017 at 12:11 PM, Ryan Kelly <[email protected]> wrote:
> On 2/2/17 03:53, Richard Newman wrote: > > > - The old email address never becomes available for registration > again. > > > > > That is, email -> FxA user never changes from one user to another. > > > > We could certainly do this, but it's not clear to me what value it > would > > deliver or what it would guard against. > > > > > > My reasoning: devices (and potentially services) do, or must, sometimes > > use the email address as a unique identifier for a user. > > > > For example, the FxA on Android is named by email. A service like > > Bugzilla might similarly associate an external account with an FxA by > email. > > I'd prefer they didn't do this, but you're right, they often do... > *A lot of services do map to email but it makes me wonder how Facebook behaves. If I were to change my default email in Facebook, would it it prevent me from logging back into services that mapped to my original FB email? Or, are they also passing to these services a uid that's independent of my email?* > > If a new arrival can take a vacated email address, there is a chance > > that they can take ownership of a service, or get consumers into a very > > confusing state. If there's no benefit to taking ownership of a vacated > > account, then I'd argue it's unnecessary risk. > > A good example here is Pocket. Pocket ties your FxA to any existing > Pocket account with the same email. So you could get a scenario like: > > * I sign up to Pocket using FxA with [email protected] > * I change the address on my FxA to [email protected] > * Someone else re-registers for FxA with [email protected] > * They can now log into my pocket account > > To be fair, if they now control [email protected], they could use a > traditional password reset flow to access that account on Pocket, and > probably also to take over a bunch of my old accounts around the web. > *Perhaps email providers have a clearly defined period of time before which an email can be re-allocated. Perhaps we can eventually align to their practices. * > > But I think I'm coming around to the suggestion that we disallow > re-registration of emails, at least for the initial version while we get > our heads around the broader ecosystem effects. > *I agree.* > > > Cheers, > > Ryan > _______________________________________________ > Dev-fxacct mailing list > [email protected] > https://mail.mozilla.org/listinfo/dev-fxacct >
_______________________________________________ Dev-fxacct mailing list [email protected] https://mail.mozilla.org/listinfo/dev-fxacct
