captcha or similar for account creation?
ckarlof at mozilla.com
Fri Oct 18 09:29:15 PDT 2013
On Oct 17, 2013, at 5:24 PM, Monica Chew <mmc at mozilla.com> wrote:
> Having a verified email address at a big webmail provider provides some guarantee by proxy that a human is behind the address (or at least has figured out how to abuse the account creation system at the mail provider).
This is a good point. We should always try to take advantage of the fraud and abuse work already done by big IdPs wherever possible.
> For unknown domains this question is harder. By the way, is Mozilla planning to provide email addresses?
> ----- Original Message -----
>> On Oct 17, 2013, at 4:44 PM, Ryan Kelly <rfkelly at mozilla.com> wrote:
>>> Hi All,
>>> The current Firefox Accounts API does not have any protections around
>>> account-creation - you submit an email address and password, click the
>>> verification link, and you're done.
>>> Should we be looking to add a captcha or similar into this flow to
>>> limit signups to Real Humans Only?
>> No CAPTCHAs. We're not going to push our problems on our users.
>> Which means we need a solution for our problems. So, yeah, I'd prefer some
>> rating limiting approach.
>> I'm not so strongly opposed to context dependent CAPTCHAs or similar things,
>> e.g., a user has attempted 5 failed logins and the next one is going to
>> require some extra work.
>>> My instinct says no, as we've not had a good experience with captchas
>>> in the past - IIRC correctly there was a bug filed to disable them in
>>> the Sync account creation flow because they were more trouble than not.
>>> The alternative is to do request-level rate limiting, which is already
>>> in the works and could easily be special-cased to add stronger limits on
>>> the account-creation API.
>>> Sync-dev mailing list
>>> Sync-dev at mozilla.org
>> Sync-dev mailing list
>> Sync-dev at mozilla.org
More information about the Sync-dev