Stealth Mode changes the behaviour of the IAM system to support enumeration prevention for channel verifiable data attributes (e.g. email address, mobile phone number) during a stealth-protected operation. To achieve this goal during self-registration, the system will continue processing requests as if the self-registration process had not generated conflicts with an existing account so as to not leak information to the attacker.
Stealth Mode can be enabled in the 'User Self-Registration Flow' Advanced Settings for each flow individually.
The Send Email Link Step cannot be used in conjunction with the Stealth Mode.
The stealth mode in user self-registration flows is based on the fact that the channel verification step is interactive and that the user cannot get past it if stealth mode is in action. Since the Send Email Link Step is non-interactive, it does not support the stealth mode.
To take advantage of Stealth Mode, the following requirements must be met:
- The attribute to be protected must be the first channel verification target. Meaning the system must be able verify that the registering user is really in possession of this communication channel.
- The attribute to be protected must be unique. E.g. if stealth mode is used with email, no two accounts may have the same email configured.
- It is recommended to put channel verification as early as possible in the flow to make attacks on subsequent steps more difficult.
If uniqueness is not required then enumeration is not possible and there is no need for stealth mode protection.
Stealth mode in self-registration has some limitations:
- Only the first channel verifiable user item is protected. All other user items (including login names) remain vulnerable to enumeration attacks.
A similar feature is also used to protect accounts against enumeration during authentication.
- For more information see:
- Authentication REST API
- For form-based authentication - Stealth mode authentication (zero information leakage and DoS prevention)