RichardLitt
commented
9 years ago I think that we ought to not use the standard username + password model. It is antiquated and not secure. I think, instead, that a person's email should be their username, and at the start of each new session, if a cookie isn't already stored in their browser, that we should have them get a new unique ID from their email for that session. This has the benefit of being more secure, although it does work around password managers like 1Password, which could break some users' workflows (mine included).
I think that a user also ought to be able to share annotations with another user on as a one-off link with a unique ID that allows anyone with the link to the paper (stored on our website) which has the ID can see the private annotations, and that these unique IDs should expire at some point (3 days?) but could be persistent if they are linked to an existing user account. This is a complicated use case and may belong in another issue.
What do you think, @jbenet and @adammarblestone?
A user should be able to: