Email verification Variant: Email verification

The previous example configuration can be adapted to "Email Verification" as "Channel Verification" as follows:

  • 1.
    "Enable Stealth Mode" is active.
  • 2.
    "Alias Attribute Names" has a single entry "email".
  • 3.
    "User Context Data Item List" has an element of any type of "Self Reg User Context Data Item Config" (e.g. "String User Context Data Item" with a "Validation Pattern" that only accepts valid email addresses) where the "Context Data Field" has the value "email". The "User Context Data Item List" may contain additional "Self Reg User Context Data Item Configs", which all must have "Context Data Fields" that are different from "email". The uniqueness check enforces that neither the provided "username" nor the "email" conflicts with a value from the union of the columns "username" and "email" of existing users.
  • 4.
    As "Channel Verification" a plugin of type "Email Verification" is used. The "Email Property Name" of the "Email Verification" has the value "email".
  • 5.
    An "Id Pattern Self Registration Validator" with a pattern that does not match any valid email address (e.g. a pattern that does not allow "@") is configured as "Self Registration Validator".

This variant obviously preserves the security guarantee described above – with respect to email addresses instead of phone numbers: an honest user or a potential attacker cannot learn whether there already exists a user record with a given email address as "email" unless he has (at least temporarily) access to the given email address.

Enumeration of usernames

The above examples prevent enumeration of phone numbers and email addresses, respectively. In many cases, protecting this data against enumeration is the main privacy concern.

Enumeration of usernames is still possible. For example, in the email variant, an attacker can try and register many usernames using his or her own email address. The attacker receives an email if and only if the username already exists.

Sometimes username enumeration is no privacy concern, e.g. if usernames are technical IDs.

If it is necessary to protect against username enumeration, this can be achieved as follows:

  • Write a custom Self Registration Validator ("SelfRegUserContextDataValidator") that ensures that the username equals the email address (or phone number). Since, as discussed above, email addresses cannot be enumerated in the given configuration, this also prevents username enumeration.