homakov
commented
7 years ago Good point, a post about SecureLogin + Email is upcoming. You're right that currently email is just advisory. Will be made clear in docs.
Closed download13 closed 7 years ago
homakov
commented
7 years ago Good point, a post about SecureLogin + Email is upcoming. You're right that currently email is just advisory. Will be made clear in docs.
homakov
commented
7 years ago Alright, we will call it suggested_email from now on. It implies it is not verified.
Correct me if I'm wrong, but there doesn't appear to be any verification of the email provided to the server.
The demo code seems to imply that we can trust the email address provided by the client:
But the user can enter anything they want into the email field of the app. I signed up for the demo app with bill.gates@microsoft.com for example. It seems confusing to imply that the users's account can be associated with the email they provide without some kind of independent verification, and if you're verifying emails then why did we bother with all the public-key stuff?
I would think it would be better to say that each users's account is tied to a fingerprint of their public key, since that's the only thing you can guarantee ownership of with this system.
It might be worth having fields like "email","requested_displayname", or "sms_number" that the server can use to pre-fill their account with contact information and such, but it should be made clear that the provided values are advisory only and must be verified before being used. Especially because I think it's against the law in a lot of places to send emails or sms messages without the receiver's consent.