These topics were discussed here alongside with the EAuth implementation.
@hwwhww Are spamming and impersonator attacks the only reasons for disallowing email login? Did we have bad experiences with this before? How is ethereum-magicians managing these issues while allowing email login?
I agree on maximizing non-traceability and would like to point out two more implications of the GitHub login only: UX and security.
I believe that it is fair to say that a significant amount of potential users fall under a) don’t have an GitHub account or b) have a completely inactive GitHub account. For these users the lack of 2FA results on poor UX, of course, but also they are more likely to give up on security as they are probably less willing to set up and secure a GitHub account they don’t use.
On the other hand, in my personal experience as a GitHub user, the UX of the current system feels super smooth.
The advantages of having email login and GitHub auth would be:
- Privacy for those who don’t want their profile to be associated with their GitHub.
- More balanced UX.
For the current GitHub only system we have the following:
- Less privacy.
- A worst UX and security for non-GitHub-users.
- A better UX for GitHub users.
- Protection against spam and impersonator attacks.
Is there a way to point to the GitHub account without using email as primary key? If this is non-trivial to make, we can’t enforce users to stick with one GitHub account since GitHub email can be changed.
When it comes to EAuth implementation we are still facing the same privacy issues, as the idea would be enabling to sign up with ENS but requiring to associate a GitHub account with it. (Still excited about EAuth though!)