Secure account registration

Question

I'm writing a web application and security is very important to me. When writing the 'forgot password' function I have taken the following advises into account:

• Generate secure random auth token
• Send user an email with this token
• Send user an SMS with a pin code to enter in combination with the email link
• Do not leak account info, the site will not mention an unknown email address when the user enters an unknown address. This way accounts cannot be linked to the webapp.

But this made me thinking. The website requires the user email address to be unique. Therefore the register form notices the user when the email already exists.

This means my attempts to not leak account existence information to an attacker in the 'password recovery' part are useless because I leak the same information in the register part of the site.

I have been looking at ways to prevent this and best practices around this, but not much information is written about it.

I have also noticed the same issue in the stackoverflow account system. Stackoverflow does not leak this information in the 'forgot password' function but it does leak account existance information in the registration process.

Can anyone point me in the right direction on this one?

Kind regards, Daan

---

Update

A few minutes after typing this I had the following idea on how not to leak information to an attacker:

• Do not present the new user with the message 'email address is in use', but accept the registration as if it would be a new one.
• When the email address already exists, just send an email with the message there is already an account for that email address.

What do you think?

Answer 1

There is always the possibility to move towards Login Names for logging in. You don't quite need your email address to be unique unless that is the sole method of logging in.

The answer her would just be more obfuscation if you realistically want to be more secure. What you could have:

• Login name (the actual unique identifier to login to your web application, has to be unique)
• Display name (the name visible to other users, does not have to be unique)

This could make guessing login names more difficult, and it would be slightly more secure. Email addresses would not need to be unique necessarily. But then the user must always keep track of what login name they signed up with. This process could ostensibly hide this information from attackers. Since both login and password recovery would ask for the username only.

I don't think this problem has a great answer. Like Joachim pointed out, you are always prone to leaking when you require the email to be unique. Since checking has to be done upon registration. Password recovery can be managed simply by always giving the message "Instructions have been sent to the email you provided" whether or not the email exists in your database. And failure or success would be handled internally but never be shown. Best way to make timing attacks impossible is defer the whole sending process to be asynchronous from your HTTP response.

So options are either, move to a login name system (with the same security holes ostensibly) or just accept that with unique email addresses you will leak during the registration process.

There might not be a best answer here. Part of security is getting users to be clever. And signing up with just an email address that is not really public, tends to help. But if an attacker has access to their sign up email, things are out of your control. And there is not much you can do (unless you have two step auth with SMS or something)

Answer 2

if you do password recovery, always send an alert that the email has been send when the email is legit, but only send when he is in your database. In the registration part it's required to say if the e-mail exists in the database, so leakage is possible but for people to guess e-mail addresses without knowing them they need to bruteforce it which can be avoided by limiting the amount of posts the users can do to prevent spamming