I was discussing this with Blue earlier and we agreed that we have two choices on this. And i think we need to address this before 0.4 as it's a critical issue.
1: A challenge system. Player A adds Player B as an alt. A random AUTH string (md5?) is generated and stored in a new databse table, lets name it auth. There we store the requesting playername, time of the request, an integer to designate the request type (to allow the table to be used for more auth related stuff in the future) and the target name.
Player B will then be sent a blob containing a brief explanation with a link to click which will then when clicked send say a /tell botname alts auth <auth string>
This should probably be coupled with a new setting which allows you to restrict adding alts to alts that are also members of the bot (to prevent abuse by doing for example !alts add Sirillion over and over. This would also go well with the second way outlined below. On a side note, to prevent spamming and abuse, you should not be able to rerequest an alt which you have an active auth pending for. And one might in addition consider having a settable enforced delay between alt add's.
2: We have a password table, put it to use. Allow setting a password, and then allowing that password to be used when adding an alt, bypassing the auth requirement.
These two options are the best i've come up with so far, and combined they make for a nice system allowing security and flexibility (i've been thinking of this for a while since it would be nice for a raidbot)
Additionally you could add another layer to the auth mechanism (optional via setting) to require admin approval as well in addition to being confirmed by the target player, or maybe just admin approved (think forum registration options).
Thoughts?
Content
Total Members: 1243
