[openstreetmap/openstreetmap-website] Add MAPS.ME authentication (#1433)
notifications at github.com
Thu Feb 16 16:18:00 UTC 2017
What I am trying to say, is that
1) We don't need a working e-mail at the sign-up time. Yes we are checking it, by sending a confirmation letter, but after that a few month or even years can pass before a user receives their first e-mail from osm.org.
2) A belief that e-mail confirmation ensures a e-mail address is working, is not based on anything. It's like these security procedures in airports: they look complex, scary and effective, but when tested, they turn out to be much hassle for regular passengers and transparent for attackers.
For example, I have around 30 accounts on osm.org, most of which I made for teaching or for testing, and while all e-mails from the website are confirmed, I obviously don't check these e-mail accounts.
The only reason for confirmation e-mails is to validate the typed address. When we believe that a user _wants_ to receive e-mails and types his address _by hand_ in the relevant field, we send a confirmation e-mail to verify that they haven't made any typos. It is obviously redundant when we get an address from a third-party service, which has verified it the same way.
So even if you remove the line allowing for google, facebook and yahoo users to not use the confirmation link, you won't get better e-mail addresses or protect yourself from mailinator and similar services. Getting a proper e-mail address from a user is not a techical task, but a designer one. To make a user enter their actual working address, you have to show them the value of messages we will send them. The current registration page does not do that (e.g. we don't even assure that we won't send any spam), so we might get some fake e-mails. Again, the reason is not that we don't send confirmation e-mails for some registrations.
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the rails-dev