Some websites offer a user registration process that automates (or semi-automates) the provisioning of system access to users. The identity requirements for access vary from positive identification to none at all, depending on the security requirements of the system. Many public applications completely automate the registration and provisioning process because the size of the user base makes it impossible to manage manually. However, many corporate applications will provision users manually, so this test case may not apply.
Verify that the identity requirements for user registration are aligned with business and security requirements:
Validate the registration process:
In the WordPress example below, the only identification requirement is an email address that is accessible to the registrant.
In contrast, in the Google example below the identification requirements include name, date of birth, country, mobile phone number, email address and CAPTCHA response. While only two of these can be verified (email address and mobile number), the identification requirements are stricter than WordPress.
A HTTP proxy can be a useful tool to test this control.
Implement identification and verification requirements that correspond to the security requirements of the information the credentials protect.