Validate 3PIDs during signup & password reset from HS, not IS

[ara4n]

There's an internal spec document called "Proposal for decoupling 3PID signup validation from discoverable 3PID validation" which proposes a fix for the fact that we use ISes for validating emails both during signup as well as for discovery. In practice, these are very different scenarios and we should use the HS for validating emails.

This would also help us with the branding of sign-up & reset mails.

Submitting this issue to track it properly.

[ara4n]

On discussion with Dave, we've decided not to incorporate this with the work being done on element-hq/element-web#1903, as it's basically orthogonal.

When we get 'round to do it, we probably want it to be a standalone verification microservice (e.g. another python+sqlite thing; call it sygnoff or something ;). This could the be used both by the IS (whether centralised sygnal or a decentralised future thing) and by the HS as a general verification helper.

Separately, there's also the related issue of supporting 2FA during login (not signup or password reset): https://github.com/vector-im/riot-web/issues/2772. It feels like this might want to also make use of the same hypothetical verification service produced by this bug.

[richvdh]

this finally got done by element-hq/element-web#5835 and friends.