17.2.3.6.1. About stealth mode

To prevent a potential attacker from learning information about existing user records, a stealth mode can be enabled for the User Registration Self-Service. Stealth mode can, for example, prevent an attacker from learning whether an email address or phone number has already been registered. If the uniqueness check of the username and alias attributes in a registration request fails and stealth mode is enabled, successful registration is simulated. Simulating a successful registration means that the interface returns a response that is indistinguishable from a response to a successful registration request with unique username and alias attributes, but no user is created and no channel verification message (e.g. email or SMS) is sent.

Be aware that the degree of protection against user enumeration depends on the configuration of the self-registration process as explained in more detail in the following. Note that stealth mode can only be enabled if "Channel Verification" is used.

Be aware that activation of the stealth mode of the REST API for User Registration Self-Services only changes the behavior of the self-registration interface (registration, channel verification and resend of channel verification resends), but not of other functionality of the REST API which might still be vulnerable to user enumeration (e.g. authentication API or password reset).

In the following, we present two variants of an example of a configuration where stealth mode provides good protection against user enumeration.

Most configurations which differ from the given example and its variant provide only a weaker degree of protection against user enumeration. Therefore, all configurations which differ from the given example and its variant must be very carefully analyzed to determine the provided security guarantees and potentially additional measures such as input validation should be taken.