In the context of automating common support requests, it would be good to add forms/pages where people can submit profile merge request, or actually perform a profile merge themselves when the user can verify ownership of both profiles.

Challenges/solutions

Merge requests may only performed by submitter when we are sure he/she is the owner of the identity represented by both profiles

• Generate a unique and expiring email verification link, sent to the email addresses of the targeted profiles for which the submitter is not logged in
  • Generate and send 2 email verification links when there is no user account, or when the submitter is not a logged in user

Prevent merge request spam (identity owner receiving merge request emails repeatedly)

• Require Captcha for both logged in and not logged in users
• Limit number of non-expired merge requests for the same profile

For cases where ownership cannot be verified (e.g. no access to old email anymore), the merge request should be reviewed by the system administrators

• As always, we should be careful when reviewing and accepting merge requests because of social engineering

Detect duplicate accounts and suggest merging to profile owner.

• When a person logs in or displays his/her profile, check for possible duplicate accounts and present merge wizard
  • a duplicate profile often has a key (id) being the prefix of the other key.
• Don’t ask again when the user refuses to merge (e.g. in case of false positive)

Submitted by Elmer van Chastelet on 29 November 2018 at 09:15