authn-server icon indicating copy to clipboard operation
authn-server copied to clipboard

prevent use of throwaway email addresses

Open egorsmkv opened this issue 8 years ago • 4 comments

Hello @cainlevy! Thanks for a great project 👍

It is the real world problem when people use email temporarily services (e.g. getnada.com) for creating accounts.

I propose to add a new configuration option - EMAIL_USERNAME_DISPOSABLE_DOMAINS like EMAIL_USERNAME_DOMAINS option to prevent this behaviour.

egorsmkv avatar Nov 09 '17 01:11 egorsmkv

Thanks for this idea! I need to consider this a bit more and decide whether this problem is a concern of the email address as a unique identifier (AuthN's problem), or a concern of the email address as a method of contact (host app's problem).

Meanwhile, my recommendation would be similar to the email verification guide:

  • Create accounts and users as normal
  • Compare a user's email against some list of disposable domains
  • If the email appears disposable, automatically lock the user's account and sign them out

cainlevy avatar Nov 09 '17 02:11 cainlevy

Could you say a bit more about how disposable accounts impact your application? What is the difference between someone signing up with a temporary email provider and someone signing up with sub-addressing?

cainlevy avatar Nov 09 '17 05:11 cainlevy

You are right that sub-addressing accounts similar to temporarily email accounts. Also, that is a bottleneck in the application. I think that you need to add an option to disabling sub-addressing email accounts on the registration step.

About the impact. Spammers use temporary services for registering accounts in the application. The disposable option is the opportunity to prevent that case.

egorsmkv avatar Nov 09 '17 13:11 egorsmkv

Okay, here's the goal:

Create one single new config variable. When enabled, AuthN will:

This should allow the host application to implement and rely on email verification to ensure that user accounts are not throwaways.

cainlevy avatar Nov 12 '17 00:11 cainlevy