Emailed Captcha for Website Registration

ARTHURX64WB · June 15, 2021

So I'm trying to create the registration form for a website (built from scratch). I plan to implement a system that will email the security code (captcha text) to the user instead of generating a captcha text they have to guess. They need to open their email to get the code to continue registration. Is this actually secure or can this be easily circumvented? And is this more of a hassle to a user, thus discourage registration? This is inspired from account validation (after registration) via emailing the user a code.

The catch is the user will have to open their email twice, before registration and after (for account validation).

Master Disaster · June 15, 2021

I think this is a case of over thinking the implementation of an idea.

Can you answer a question.... What benefit does emailing a captcha have over just emailing a security code?

Captcha exists to prevent robots from spamming login attempts, 2FA exists to stop unauthorised access to personal data, trying to mash the 2 together creates additional complexity without really solving any additional problems. In general customers will accept inconvenience if there's a benefit to it for them, I just don't see what benefit this idea brings to anybody.

mariushm · June 15, 2021

You should also ask yourself if email address is really required or has to be required.

Maybe you could just generate a 8+ digit / letter "PIN" code and tell user to write that code down somewhere safe, as it will be requested each time significant changes to the account will be made (instead of emailing user). Associate that pin code to the account number or username and you're good to go.

If you're in Europe and ask for personal information like email address, first name, last name you may get into issues with GDPR and collection of personal data.. Could simply say "how should we call / address you?" instead of First name and Last name... and they could be comfortable entering anything there, a nickname or whatever.

Forcing a minimum of 8 characters for username kinda sucks ... Mr.X would be perfectly legitimate username.. as is my username on other forums, "mariush" - 7 letters. Hopefully that's 8-32 characters and not 8-32 bytes ... cause we're getting into diacritics and other languages like japanese where 2+ bytes are used for characters... for example 山田太郎 takes 12 bytes to store.