Email verification flow in the face of fake email sign-ups

Hi, we have an email verification flow for user sign-ups. I noticed that if a user signs up with a fake email (not his email) Auth0 stores this unverified account in the user database, and then the real user who owns this email will not be able to sign up, but will receive “WE’RE SORRY, SOMETHING WENT WRONG WHEN ATTEMPTING TO SIGN UP.”

This behaviour is an anomaly, as one of the reasons we want people to verify their email is that an attacker won’t be able to block many other users from signing up. Also, the legitimate user will not understand what is wrong, will see it as a bug in our system, and probably will pass on signing up altogether.

I wonder what is the correct flow for this scenario? how are the big companies cope with it? what is the recommended way to tackle this?


Hi, can someone from the Auth0 team address this issue?