Test User Registration Process (OTG-IDENT-002)

Summary
Some websites offer a user registration process that provisions a person with access. The identity requirements for access vary from positive identification to none at all.

Test objectives
Verify the identity requirements for user registration align with business/security requirements

Validate the registration process

How to test

 * 1) Verify the identity requirements for user registration align with business/security requirements
 * 2) Can anyone register for access?
 * 3) Are registrations vetted by a human prior to provisioning, or are they automatically granted if the criteria are met?
 * 4) Can the same person/identity register multiple times?
 * 5) What proof of identity is required for a registration to be successful?
 * 6) Are registered identities verified?


 * 1) Validate the registration process

Example
In the Wordpress example below, the only identification requirement is an email address that is accessible to the registrant.

In contrast, the Google example below, the identification requirements include name, DOB, country, mobile phone number, email address and CAPTCHA response. While only two of these can be verified (email address and mobile number), the identification requirements are stricter than Wordpress.

Remediation
Implement identification and verification requirements that correspond to the security requirements of the information the credentials protect.