A flowchart explaining the implementation of secure registration using the combination of username, email, and mobile number.

Secure Registration Flow
February 24, 2019
Secure Registration Flow

This post explains the most common flow of secure registration using the combination of username, email, and mobile. The username can be combined with either email or mobile or both to confirm the account. We can omit the username if required and just follow the flow either with email or mobile ensuring that either of these two is used to confirm the account. Below listed are the steps involved in this flowchart. You can also follow our Secure Login Flow showing the registration process with the same combinations.

Input Fields

Username can be used to uniquely identify the user. The user must provide a unique name following the validation rules. The most common form of username is to allow alphanumeric characters with or without underscore or dot.

Email is another field commonly used to uniquely identify the user. The same can also be used to confirm the account by sending a link having account confirmation code.

Mobile number is emerging as the only field required to create an account in some of the modern applications. The user can fill other profile details after logging in. In applications having the only Mobile number as the registration field, OTP is the only way to confirm the account by sending a code. The user must provide this code to confirm the account.

Form Process

The user will be provided with the form having fields as part of the registration process based on the application needs. The user fills the form and submits it for creating the account. The form must be validated on the client side to reduce the load on the server before it's submitted to the server. The user must be provided with appropriate errors on validation failure.

The form data will be sent to the server after client-side validation succeed and there must be server-side validation without relying on client-side validation. The server must check all the fields and uniqueness of Username, Email, and Mobile based on the application flow.

On successful validation of form fields, the account can be created and the appropriate verification flow should be followed to confirm user identity either via sending an Email or OTP or both.

Email Flow

The process must involve email field and it will be used to both uniquely identify the user and also confirm the account. The system must generate a link having confirmation code and send a welcome email to the user having greetings and the confirmation link. The user must click on this link to confirm the account.

The password field must be used to securely login the user. The developer must ensure that the plain password is not stored in the database. A strong encryption algorithm must be used to encrypt and store the password. The same algorithm can be used to decrypt the password to match with the password provided by the user while login. Appropriate security framework with strong security features can be used to store the password. The same framework must be used to authenticate the user while login. Almost all modern programming frameworks are providing in-built security features.

OTP Flow

OTP is becoming more common nowadays. The user must provide a valid mobile while filling the registration form. The same can be used to uniquely identify the user.

An OTP will be sent after creating the account and the user must provide the same OTP to confirm the account. In this flow, email can be optional, though the system can also send the same OTP to the email provided by the user based on application flow.

Write a Comment

Click on the captcha image to get new code.
All Comments

By - Muzaffar bin Mohamed March 19, 2019
No client side validation please. Attacker can easy bypass by disabling the javascript. All need to be done at server side, trust nothing from client side.

Discussion Forum by DISQUS