1

I work on an application where users are sent a unique registration code in the post. They use this, along with other personal information known to the user, to confirm the identity of the user upon creating a new account.

Does the unique registration code sent in the post need an expiry time (like after 30 days)?

The argument that has been made to me is that if there is no expiry then a fraudster has longer to collate the personal information about the intended user to confirm identity. Therefore, they argue that adding an expiry decreases the likelyhood of fraudsters creating an account posing as the intended user.

However, if that's the case, I would imagine that having an expiry would make no difference. If a fraudster has intercepted this mail then the individual has been personally targeted and the fraudster would be able to obtain the personal information to request another code?

Daniel
  • 3
  • 1
Daniel
  • 11
  • 1
  • What does the expiry do for you? Why do you want one? – schroeder Oct 31 '19 at 13:25
  • The argument has been raised around account security being that if there is no expiry, a fraudster has longer to collate personal information about the intended user and then use that code in future to create an account posing as the user. Personally, I don't think adding an expiry will make much difference in this scenario, but decided to reach out to the community to see what the general consensus was. – Daniel Oct 31 '19 at 13:27
  • If a fraudster has access to this piece of mail, it is reasonable to assume they have access to all mail, and subsequently, all personal data. – schroeder Oct 31 '19 at 13:33
  • Can you edit your question to include the concern/risk you hope the expiry addresses? – schroeder Oct 31 '19 at 13:34

2 Answers2

0

An expiry code means that if an unauthorised person with malicious intent gains access to the code before the user finalises registration, then fraud can be prevented if the malicious person does not also have access to the victim's personal information.

But how effective of a control would the expiry be? If someone with malicious intent has access to the mail and a desire to exploit it, then it is reasonable to assume that the malicious person has access to all mail. If there is access to all mail, then all the victim's info is exposed to the malicious person, so the control is not effective in this case.

Compare this to the risk of a legitimate delay in finalising registration, requiring a re-issuing of the code and posting. The expiry period would need to be long, in which case, a malicious person has a lot of time to act.

schroeder
  • 123,438
  • 55
  • 284
  • 319
0

There are two types of registration codes.

Codes that identify you. These essentially serve the role of a user name. You might receive something like a "member number" from your credit union or an "attendee ID" when you register for a conference. These are meant to identify. Typically you will need this piece of information to start an enrollment process, which will require other factors of authentication, and ultimately result in setting a password. This type of registration code does not need to expire, and indeed in many cases they are permanent. That being said, some effort should be made to avoid sequential or guessable identifiers, as a hacker could possibly enumerate them to search for a user that used a weak password.

Codes that authenticate you. These essentially serve the role of both user name and password. This is the sort of code you may receive when completing a "forgotten password" workflow, for example. These tend to be much longer, and are sometimes used as the sole factor of authentication (although it is possible, and recommended, to provide for a second factor). These codes should expire.

John Wu
  • 9,101
  • 1
  • 28
  • 39