So you could ask Anna to enter her account password in order to retrieve the transfer secret, like with the “change email address” page.
That would fail if Anna had her password saved with the browser, of course.
On the other hand, if Anna left her laptop logged in to email, Bit could wreak all sorts of havoc in her absence, given how many services allow you to control accounts by retrieving or resetting passwords by email.
Or Bit could probably delete quite a number of entries, one by one, in half an our if Anna stayed logged in.
I’m not sure where to draw the line in protecting the user. Asking for current password to retrieve the transfer secret seems like a reasonable enough barrier to me; someone with experience in Abuse and/or Anti-Spam may think otherwise.
no subject
So you could ask Anna to enter her account password in order to retrieve the transfer secret, like with the “change email address” page.
That would fail if Anna had her password saved with the browser, of course.
On the other hand, if Anna left her laptop logged in to email, Bit could wreak all sorts of havoc in her absence, given how many services allow you to control accounts by retrieving or resetting passwords by email.
Or Bit could probably delete quite a number of entries, one by one, in half an our if Anna stayed logged in.
I’m not sure where to draw the line in protecting the user. Asking for current password to retrieve the transfer secret seems like a reasonable enough barrier to me; someone with experience in Abuse and/or Anti-Spam may think otherwise.