Requests for comment/Login via e-mail address

mmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmMediaWiki should allow login via e-mail address.

There's a workaround changeset in

Background
Login via e-mail address is crazy popular on the Web. It's easier for users to remember an e-mail address over a site-specific username.

Considerations

 * Currently e-mail addresses are case-sensitive.
 * RFC 5321 says Bob@example.com and bob@example.com could theoretically be different e-mail addresses, but in practice that's crazy.
 * Write a maintenance script to normalize e-mail addresses to all lowercase in the database or just check at the application level?
 * E-mail address is considered private information.
 * E-mail addresses do not need to be unique (many accounts with a shared e-mail address happens).
 * Checking passwords is necessarily computationally expensive, so timed attacks are a real concern.
 * There is also CentralAuth to deal with, maybe.
 * Special:PasswordReset already has some of the same functionality/logic we're going to need here.
 * Current error messages for wrong login credential situations are:
 * When user account does exists: "Incorrect password entered. Please try again."
 * When user account doesn't exists: "There is no user by the name "(username)". Usernames are case sensitive. Check your spelling, or create a new account."
 * But unlike usernames, e-mail addresses should be kept in secret. So we have to redesign the error messages to make attackers aren't able to obtain information about whether an specific e-mail address is in the database. --*devunt (talk) 10:47, 30 January 2015 (UTC)

Workflow

 * Special:UserLogin is changed to accept e-mail address or username. ✅
 * Always try as username first (there are usernames that are e-mail addresses...). ✅
 * Alternately, force-rename users with "@" in their name. "@" is a reserved character according to $wgInvalidUsernameCharacters, so any usernames containing "@" are legacy name unless site administrator has manually take out "@" from $wgInvalidUsernameCharacters.
 * The @ is required in some LDAP authentication environments, so renaming accounts may not be feasible. --Ciencia Al Poder (talk) 17:41, 4 August 2015 (UTC)
 * Login-by-email could be made an optional feature, and disabled (along with the connected rename script) in these environments. Mattflaschen-WMF (talk) 23:33, 6 August 2015 (UTC)
 * If e-mail address is authenticated, check password of account. ✅
 * If the e-mail address is not authenticated, check password but discard the result to avoid timing attacks. Daniel Friesen (Dantman) (talk) 06:24, 30 January 2015 (UTC) ✅
 * We want to avoid timed attacks that can determine whether an e-mail address is in the database. ✅
 * Perhaps only check one account total? ✅
 * This approach avoids needing to insert an intermediate screen for disambiguation.
 * This would mean that for e-mail addresses that correspond to multiple usernames, you would need to error and tell the user to maybe try an account name instead? (The error message presumably cannot give away that there were e-mail addresses that matched in the database, unless the password also matches.) ✅

Implementation details
The current implementation behaves like:
 * Display an ambiguous error message when a username, an email address or a password was wrong.
 * Only process to login workflow if an email address is associated with just one account.
 * Email addresses which are not authenticated is completely ignored during login workflow.

Discussion
In the disucussion tab.