Currently a valid email address can be registered as username without any ownership verification. This leads to a multitude of problems including consistency/uniqueness and spoofing.
#111317-83: Allow users to login using either their username OR their e-mail address:
At a minimum, I think we need validation when new users register that their username matches neither an existing username nor an existing e-mail address.
While a bit better than the status quo, this doesn't cut it leading to - em, sorry - superficial fixes like the proposal in #1359718: Password reset fails when a user has a username that matches another user's email address which introduces code bloat and new privacy problems, while still not solving the fundamental problems.
It neither is enough to check usernames for uniqueness upon account creation nor upon changing the account name.
Registering with a username that could be an email address always comes with a risk of identity fraud or blockade, if the potential email address isn't verified.
Imagine someone registering with the username 'bill.gates@microsoft.com' or 'dries.buytaert@drupal.org' with her real email address given as 'spoof@xxxhost.ru'.
Regarding the identity fraud case: Bill Gates might not be registered on our site yet, so the address is allowed. Still the fake Bill could post in the name of Bill Gates, and even with a (misleading) sign of being verified.
Regarding the blockade case: Bill Gates might not be registered on our site yet, so the address is allowed. But if tomorrow Bill Gates wants to register as 'Bill Gates' with his email address 'bill.gates@microsoft.com', he will be disallowed to do that because someone else fraudulently blocked Bill's real email address from being registered. Now Bill doesn't only have to live with the fact that there's someone else posting spam in his own name, but he can't even prove that the email address in reality belongs to him.
So what could be our options?
- 1: The most rigid solution:
- Disallow @ signs in usernames.
- 2: The minimum solution:
- Check for existence when registering but give the email address precedence to the username. So, if someone proves to be owner of say 'bill.gates@microsoft.com', he can register, but the preexisting account with 'bill.gates@microsoft.com' being username would be blocked or renamed.
- 3: The probably most diligent solution:
- Allow potentially valid email addresses only as username if at the time of registering or changing username, the username matches the current email address. If at a later point someone registers proving to be the new owner of say 'ceo@microsoft.com', a preexisting account with the username 'ceo@microsoft.com' might be blocked, but would in any case be renamed and the owner informed.
- 3a: The most rigid solution:
- Block, rename and inform users with a user name which might potentially be an email address, but doesn't match the currently given email address.
- 3b: The minimum solution:
- Rename and inform only users which user name matches the email address of another account. Leave all other accounts alone someone else proves ownership of the email address.
- 3c: The probably most diligent solution:
- Rename and inform users which user name matches the email address of another account. Inform and require all other users with a username being a potential email address to prove ownership within some time, otherwise rename the account.
And what to do with existing usernames on existing sites?
Taking the latter solution from above, we could adopt:
Opinions?