The same email address is used for wikimail and password recovery.
For password recovery an address with a secure mail provider is a good choice. For wikimail on the other hand a throw-away-mail-address, that can be easily replaced, if it becomes known to a stalker or the public, makes more sense. This is especially true for accounts with additional rights and prolific authors. These groups cannot work without wikimail and are unlikely to abstain from the possibilty to recover a lost password.
I propose the following: Add the option to specify a second email address in the preferences for all users.
Add the following global preferences (email and password are already global):
- checkboxes to select what email address to use with wikimail or none at all
- checkboxes to select what email address to use for password recovery or none at all
- if both boxes are checked, different temporary passwords are sent to both addresses and both are needed to login
- checkboxes to select what email address to use for echo and other notifications
- in a more ambitious additional approach the local echo preferences could allow the configuration of every notification type to be sent onwiki, to first address, to second address
- checkboxes to send a TAN to either of the adresses on login (achieving a cheap way of 2FA, at least until true 2FA is implemented)
In a given time frame only one email address can be changed. A confirm message is sent to the new address and additionally a "cancel the change" message is sent to the other unchanged address.
The option of two addresses would allow the use of a throw-away-email-address for wikimail. So if this address becomes known to a stalker, you can simply change this address, while keeping your secret secure email address for all other uses.
Nothing changes for any user who does not specify an email address or stays with one address.