IT Security Stack Exchange
IT Security Stack Exchange

Questions tagged [registration]

Registration can refer to: (-) The act of making an identity on a service (like getting a Facebook account) (-) The process of getting credentials from a service (like using OpenID to login to Stack Exchange) (-) The protocol to get information from a system (like getting updates from a Forum you want to follow)

Registration can refer to:

  • The act of making an identity on a service (like getting a Facebook account)
  • The process of getting credentials from a service (like using OpenID to login to Stack Exchange)
  • The protocol to get information from a system (like getting updates from a forum you want to follow)

This tag should be applied when a question is about:

  • A security issue that can occur with a registration process.
  • A question about an attack vector on the registration process.
  • A question security consideration for a registration process.
50 questions
58
votes
8 answers

Should I log users in if they enter valid login info in registration form?

Recently, we've had users complain that they forget that they have an account, try registering, and get error message that the user with such email already exists. There is a proposal to just log them in such cases. So, if the user inputs valid…
Назар Топольський
  • 689
  • 3
  • 4
28
votes
3 answers

Forgot password and revealing whether account exists

So when you hit that forgot password link and enter your email address, it seems that sites (and other programmers I've spoken to) are one of either two mindsets; Notify the user whether or not the email address matched with one in the database and…
Stafford Williams
  • 461
  • 1
  • 4
  • 7
18
votes
3 answers

Is cell phone number based verification secure?

Websites often send a code to a cell phone number for verification. Is this secure? If it is not secure, are there any better alternatives?
Lone Learner
  • 968
  • 1
  • 9
  • 18
18
votes
4 answers

Prevent against OTP abuse in app sign up flow

This may sound like an open ended question, but I would like to take my chances and understand if there is any way the rest of the community is handling this issue. Let's say there is an app that allows users to sign up using their phone number.…
qre0ct
  • 1,492
  • 3
  • 19
  • 30
15
votes
3 answers

How can you prevent email addresses from being harvested from a registration form?

When you go to a website's login form and enter the wrong credentials, the website can give you one of three error messages: Your email is wrong Your password is wrong Your email or password is wrong I've read that the safest practice is to only…
Pikamander2
  • 331
  • 2
  • 7
14
votes
4 answers

Is this passwordless system secure?

A person has a form that asks for a name and password. The password is sent to the server where a hash is created from hashing the name and password. This hash is converted into a number using the ascii value. The number is limited to 10 digits, and…
klenex
  • 159
  • 1
  • 5
13
votes
6 answers

Is it safe to authenticate user by email confirmation link?

When a user registers on a website, he has to confirm e-mail to activate account. When clicking confirmation link, the user is identified by one-time hash to activate account. Is it safe to authenticate user right away or should he sign-in by…
PeterM
  • 241
  • 3
  • 12
11
votes
3 answers

How To Stop A Mobile Verification Attack

I am thinking of using mobile phone number verification for the sign up step in my web application but how do I prevent a hacker or a malicious user from sending mobile verification requests to an unlimited number of phones? It would cause damage in…
John L.
  • 741
  • 5
  • 8
10
votes
2 answers

When should user invite links (tokens) expire?

We have a system in which external users can be invited to our identity management system. The users are not employees of our company, but of our customers. The administrators of the customer do not have access to the system the users are invited…
Philipp Grathwohl
  • 203
  • 1
  • 6
9
votes
1 answer

Prevent phishing attacks through abuse of Apple iOS URL scheme

I am building an Apple iOS application that will have the following flow: A user completes registration from the web. Upon completion of registration, a link is sent to his email. Once the link is clicked on an iOS device, my iOS app will be…
user3074662
  • 541
  • 2
  • 6
  • 11
8
votes
1 answer

What is this user-friendly device registration process called?

Logging in with a username/password can be annoying on non-keyboard devices (game consoles, Rokus, etc). Many media apps on these devices improve on this process by letting me activate my device on my account via these steps: I download and open…
incidentist
  • 183
  • 2
7
votes
1 answer

Re-display password in registration form good or bad?

When a user tries to register and the data he submits are not right such as bad email, or weak password, we would display the registration page again to him with the data he just submitted along with the error messages. My question is should we…
datasn.io
  • 749
  • 1
  • 8
  • 9
6
votes
2 answers

How can we protect signup APIs from brute force registration?

This is a general question but its prompted by a fairly open API I have for a file storage service that needs to have its front door better locked down. We have an API like POST '/signup' that just takes a username and password and creates a user.…
user
  • 181
  • 1
  • 5
5
votes
1 answer

best practices for handling self-registration?

For example, with a bank's credit card activation/registration, that user is required to authenticate with a unique code that was mailed to their address. If they don't get that mailout-with-the-code, they'd be SOL. With that in mind, we'd like to…
khangtt
  • 51
  • 1
5
votes
4 answers

Do MFA QR registration codes/keys expire?

MFA recovery codes last forever until used. The TOTP codes expire as per the clock (e.g. 30 seconds). Does the initial QR code to register a MFA device last forever until disabled by a MFA reset? I'm imagining (expecting) that the key, like the…
schroeder
  • 123,438
  • 55
  • 284
  • 319
1
2 3 4