Collaborate Disseminate
After successful user registration, the session is created via session cookie and the account is marked as unverified.
A universally unique 128 long random string is created using node’s crypto (see below). The length effectively makes br… Continue reading Please review my (basic) approach to user email verification [closed]
Why would someone sign my email up for this site? And what is it?…. I’m a little concerned.
Continue reading Someone signed my email up for this website [closed]
I am designing a new login/register process for a system and want to combine the 2 initial pages for register and login.
This would be one page where the user would enter their email and press ‘Continue’. We would then check if the email i… Continue reading Is there a problem with having a combined login/register screen?
Through reading the WebAuthn spec and related MDN docs, I understand that unlike "certificate signing requests", FIDO/Passkey can have various different attestation formats and verification methods/algorithms during public-key cr… Continue reading Will sky fall if I don’t verify `AuthenticatorAttestationResponse`?
Is + in email addresses a security vulnerability for authentication algorithms? How can it be used in a malicious way? Should we forbid emails with + signs during registration?
For example we have 2 accounts that correspond to 2 different … Continue reading Is a + on an email address a security vulnerability for a registration process?
Many websites and/or web apps require you to validate the e-mail address after registration.
Why don’t we first validate the email address and then continue with the registration? Is there something wrong with a person first providing thei… Continue reading Is there a reason we don’t first validate the email address before continuing with the registration?
For a number of years now, it’s been impossible for me to register an account anywhere.
Even if my cookies and other browser data is cleared. Even if I switch user-agents. Even if I try countless different non-Tor, paid proxies. No matter … Continue reading What has happened that makes it impossible to register an account anywhere? [closed]
One of the raised issues for a Web API is that for an e-mail based authentication (e-mail and password) the Register user method returns something like "the registration e-mail has been sent" regardless of the e-mail being used o… Continue reading Is it possible to avoid exposing the fact that an e-mail address is used by a web application (API) while still ensuring a decent UX?
MFA recovery codes last forever until used. The TOTP codes expire as per the clock (e.g. 30 seconds).
Does the initial QR code to register a MFA device last forever until disabled by a MFA reset?
I’m imagining (expecting) that the key, lik… Continue reading Do MFA QR registration codes/keys expire?
In my HTTPS client-server application, the registration sequence must begin with the server receiving personal information but end without a way to connect it to the newly registered client. This is necessary for legal reasons. Specific re… Continue reading How to replace an identifier with a pseudonym? [closed]