How to respond to duplicate e-mail address during registration - security

I have a registration form in my website. I don't want to give away information about the existence of an e-mail address for security reasons. How should we, security wise, handle the "e-mail already exist" scenario without giving this information away?

Theoretically, its impossible, think about the email as the user name, you will inform the user that the user name is already reserved or taken, the same applies for the email address.
You can let the user enter his email twice by typing to ensure that he didn't enter other email by mistake, how ever, if the user entered his email wrongly twice, then, its his problem!
On the other hand, you won't send the confirmation email for already confirmed users, also for emails that are not stored at your side, you need to put this message in your confirmation emails:
If you are not {First Name + Last Name} then please ignore this email or something similar.
I hope this will help.

You could make it so the user can create an account / sign in with openid/google/facebook/yahoo. That way those sites hand the auth and if they can log in successfully through those you can collect any additional information you need.
You could alternatively have them create an account by first only providing an email. You would email the user with a link where they could continue the registration process if they don't already have an account. If an account is already created you can send an email saying something like: a request was made to create an account using this email address, but an account already exists. If this wasn't you then....

Related

Parse-server/Heroku email account verification not working

I am trying to implement the email verification system on Parse-Server (/Heroku), when a user account is created; so that the user can confirm his/her account creation.
Things are working well for those matters:
I can create a working account.
The user receives the verification email that is expected.
The problem is this:
When the user clicks on the link inside the verification email. This is what appears in the browser:
{"error":"unauthorized"}
Has anyone seen a similar issue and knows how to solve it?

JHipster Social Login - make email a mandatory field

I just setup the basic JHipster application and set in the FB client ID and secret. However, when I try to login by not sharing the email - I see that it gets redirected to my app with a success. I can handle the no email exception on application.
Instead , I wanted FB to make sure that my email was a mandatory field. How do I do that?
You can't force Facebook to return an email address for a user. It may also be null on their end (if the user signed up with a phone number). You will have to handle it in your application. This is the same case with Twitter - they simply don't provide the user's email.
Note, even if you request the email permission it is not guaranteed you will get an email address. For example, if someone signed up for Facebook with a phone number instead of an email address, the email field may be empty.
https://developers.facebook.com/docs/facebook-login/permissions/
Like you mentioned, you need to handle it in your application. You could catch the fact the email is null and prompt the user to enter an email.

Email ID for the same email changes?

I'm facing an issue lately that the id of an email changes.
I have an application that search the mail box on an hourly basis and I store the email id in order to prevent processing of the same email twice (the scans overlap hence I see the same emails more than once).
Any idea what can cause this change?
I understand you mean Google's ID which is returned by the API like with this example code; https://developers.google.com/gmail/api/v1/reference/users/messages/list#try-it
That ID of a message doesn't change by itself.
If one moves the email out of the account, and back in (via IMAP), then it would get a new ID.
Also, if you check the same email but in a different Gmail account, the ID will be different. the ID is unique only per account.
Perhaps it is useful for you to use the message-id? The message-id uniquely identifies any email, this ID is in the email header generated by the sending server and does not change. You can search for it in Gmail with rfc822msgid:
Hope this answers your question, but also let us know if not. ^^

what is the best practice for forgot password process?

I am currently developing a c# web application that allows users to login with a password. A feature that I need to include is a forgot password function.
What is the recommended process for forgot password?
I was considering this:
User clicks forgot password, enter email address
Email sent
Click on link in email (link only valid once and within time period)
Taken to the site and asked to enter new password (should they also give answer to security question?)
Password changed, email sent to user of such
User now can log in with new password
Your idea looks solid, but I would add some other considerations:
Be sure that the token you are generating in the email using is using a the .Net Framework crypto classes designed for randomization, not something that seems random but is not designed for that purpose.
Take no action on the account from the sending of the reset email (otherwise people will be able to lock other people's accounts if they know their email)
Add a rate limiter on how many resets per hour can be generated for a given email. Otherwise somebody could DOS a user by: (a) using x bad passwords to lock the account and then (b) generating reset emails for them faster than the email system can deliver.
Where possible defer to other systems such as OpenID. It's easy to get things wrong when you roll your own.
We have two ways to retrieve the forgot password:
1. Through registered email id
2. Through registered mobile number
Registered Email id:
a. Ask the user to provide the registered email id
b. The system checks the provided email id is available in the DB or not
c. If Email ID is there in the DB then system send the Email to reset the password but if Email id is not there in the DB then system show the alert messaged.
d. The user must provide strong password while resetting the forgot password.
e. Password reset successfully and is also change in the DB with respect to the Email ID.
Registered Mobile number:
The process is almost same as the email but in this case, OTP will be sent over the registered mobile number.
We need to integrate the 3rd part SDK for this or we can use the imessage in IOS.

Requiring unique email addresses while protecting the privacy of your users?

I setup my website to require unique email addresses (no two users can have the same email address), but I realized that this could allow someone to check if a person is registered on my website by attempting to signup with that email. Granted that this person would have to know the email address they wanted to try, but it could be useful information for some people (e.g. competitors who wanted to see if their users are registered on my website).
Is there any real way to stop this, or does this just have to be accepted as a possibility?
Edit: just to be clear, this is about creating an account. Even you provide a generic "invalid login" for bad logins, how would you require a unique email address or username without disclosing which usernames or email addresses are valid?
Additional, much later edit: One thing that wasn't considered here was maintaining the requirement for unique email addresses when you let users change their email address after account creation. Here, the solution I accepted of sending a "forgot password" email doesn't work nearly as well. Instead, it seems that the only options are to use captchas or limitations on the number of times an email address can be changed in a certain period of time to limit automated attempts.
If someone tries to sign up with an existing account — send a "Change your password" email instead of a "New account" email (and explain why).
Leave the HTTP response as a simple "A confirmation email has been sent to the address you specified. Follow the instructions in it to continue".
I suppose the issue is if someone forgets their password, you would ask them to enter their email address and you would send the password there if a match was found?
For that you can have users supply a question/answer challenge when they register their email address. Its a bigger pain for your users but if security is a concern then they may go for it.
Another possibility is your registration form. In this case users can enter an email address to see if its already "taken".
To address your concern you should just happily accept all registrations and send a confirmation email, even if they are already registered. That way the user doesn't know if they just registered the email address for the first time or not.
Finally, if an incorrect username/password is given, don't tell the user which is bad.
I don't think it's a terrible security risk unless membership to the site is sensitive, in which case you can use some of the patterns described.
Yes, that can happen and you cannot really do anything about it except limiting the number of checks/registration attempts in time. That will at least prevent automated checks by your competitor. Of course, if some guy decides to check if his girlfriend is registered there, then he will have that possibility.
Just a thought, not sure if it would work, but why not do something like the login page, where instead of saying "your password is wrong" it says "your username or password was wrong". Maybe just state "your email address is invalid". It's probably a bit of usability error, but if you are concerned about people doing as you say, then you might have to live with it.

Resources