User Registration with Unique identifiers

# User Registration with Unique identifiers My suggestion would involve some minor tweaks to how a user is supposed to register to our system, I hope the business would be flexible enough to hear us out, especially that this could pose a security threat on our system. ## Email vs Username vs Phone Numbers As implied by our business team, the user should register using a **username** which must be **unique**. #### **My Suggestion:** using emails or phone numbers for registration instead, here's why: 1. Emails and Phone Numbers are unique by nature, users won't have to think of new custom "username" for our system. 2. Most users are already familiar with the process of registering using emails. 3. Most users have little to no difficulties remembering their own emails and phone numbers. #### **My Approach:** (Using an Email for simplicity) 1. We will split the registration phase into two steps, the first is registering with *a valid* email and a complex password. 2. Next we will validate whether the email is valid and it exists or not. 3. **We will not inform the user whether that email was registered before or not, just a generic message like:** - "We have recieved your request, if this email was not registered before, we will send you a verification mail, kindly tap the link provided in that email to continue registeration." - That way, a hacker **would never know** whether that email was registered before or not. 4. Once the user completes registration, we can complete his profile by allowing him to choose a **username** (we could auto generate one for them), and later on in the process, we might allow the user to login with **either their username or email**. - If we have a case were the user tries to spam our system (after registering) to know whether a username was taken before or not, we already know who's spamming us (using his JWT token for example) and we can block him (without using any kind of custom IP rate limiting). #### Another approach: Another approach would be to use a phone number for registeration, which is pretty much similar to emails, except that verifying a phone number is valid might be a little bit costier, since we have to send an **SMS** with an OTP to make sure that the phone number is correct. #### One more little tweak: There is no need to even require the user to pick "a complex" password, both registration and log in processes would work perfecly fine using **just an OTP** sent to the email, making it easier for users so they **won't have to remember neither a username nor a password**.