Signing up with plus sign @gmail.com

What is the preferred way to prevent people signing up twice using known alias patterns like Gmail’s plus sign (for example signing up as my.name@gmail.com, then as my.name+alias1@gmail.com, then as my.name+alias2@gmail.com). I can of course detect this in my own API, but it would be nice if Auth0 could do this for me, avoiding duplicate user rows in the Auth0 database.

Aliases can be exploited, for example when it comes to free trial periods or user invitations/referrals/rewards for referrals (ref Feedback Opportunity: Enabling User Invitation)

I guess there is no way to detect that someUsername1@someDomain.com is an alias for someUsername2@someDomain.com. But at least Gmail’s plus sign-aliases are easily detectable, and it can potentially fill up the apps Auth0 quota if exploited.

Probably a pre-registration hook to check for a ‘+’ sign in the email address but as you point out, this is only a partial solution. It is very difficult to build technical solutions to these types of user behaviour problems. Someone determined to abuse your free trial offerings will find a away to do so. It’s as simple as registering your own domain, giving you an infinite number of email addresses.

What you really need are enhanced verification services like drivers license photo upload and validation, selfies with liveness checks, biometrics, etc.

Thanks, I will give it a try. And yes, I agree with what you wrote, but then again, the plus sign alias is something that a lot of Gmail users know about, even a lot of non-tech savvy people, and many have had an experience with getting multiple free trials at Netflix etc. So in my opinion, at least it is a wise thing to avoid having the door wide open.

Hey there @wab!

Thanks for pointing that out! Let me discuss it internally and get back to you as soon as I have any update on that!

I opened an internal engineering ticket. Will update you once I have more info!