captcha or similar for account creation?

Chris Karlof ckarlof at mozilla.com
Fri Oct 18 09:29:15 PDT 2013


On Oct 17, 2013, at 5:24 PM, Monica Chew <mmc at mozilla.com> wrote:

> Having a verified email address at a big webmail provider provides some guarantee by proxy that a human is behind the address (or at least has figured out how to abuse the account creation system at the mail provider).
> 
> http://www.blackhatworld.com/blackhat-seo/seo-other/72970-youtube-gmail-hotmail-yahoo-accounts-highest-quality-lowest-price.html

This is a good point. We should always try to take advantage of the fraud and abuse work already done by big IdPs wherever possible.

-chris


> For unknown domains this question is harder. By the way, is Mozilla planning to provide email addresses?
> 
> Monica
> 
> ----- Original Message -----
>> 
>> On Oct 17, 2013, at 4:44 PM, Ryan Kelly <rfkelly at mozilla.com> wrote:
>> 
>>> 
>>> Hi All,
>>> 
>>> 
>>> The current Firefox Accounts API does not have any protections around
>>> account-creation - you submit an email address and password, click the
>>> verification link, and you're done.
>>> 
>>> Should we be looking to add a captcha or similar into this flow to
>>> limit signups to Real Humans Only?
>>> 
>> 
>> No CAPTCHAs. We're not going to push our problems on our users.
>> 
>> Which means we need a solution for our problems. So, yeah, I'd prefer some
>> rating limiting approach.
>> 
>> I'm not so strongly opposed to context dependent CAPTCHAs or similar things,
>> e.g., a user has attempted 5 failed logins and the next one is going to
>> require some extra work.
>> 
>> -chris
>> 
>> 
>>> My instinct says no, as we've not had a good experience with captchas
>>> in the past - IIRC correctly there was a bug filed to disable them in
>>> the Sync account creation flow because they were more trouble than not.
>>> 
>>> The alternative is to do request-level rate limiting, which is already
>>> in the works and could easily be special-cased to add stronger limits on
>>> the account-creation API.
>>> 
>>> 
>>> Thoughts?
>>> 
>>> 
>>>   Ryan
>>> _______________________________________________
>>> Sync-dev mailing list
>>> Sync-dev at mozilla.org
>>> https://mail.mozilla.org/listinfo/sync-dev
>> 
>> _______________________________________________
>> Sync-dev mailing list
>> Sync-dev at mozilla.org
>> https://mail.mozilla.org/listinfo/sync-dev
>> 



More information about the Sync-dev mailing list