When creating a user registration form, it's possible to check to see if the email or username is already registered even before the user submits the form.
People can mitigate this by using email canaries. Email canaries are email aliases that allow for an address to be tied to a specific entity and thusly thrown-away should that entity break their trust. Not all email providers support creating aliases but people should absolutely research which ones do.
My question is, do you think this is a privacy risk?
Yes. This is why creating obscure canaries are a good idea. Obscure meaning not putting the entity/company name in the address but having a way to map it to said entity. In Fastmail there is a comment field for each alias. In postfix this could be done in configuration comments.
Canaries are also important to mitigate some of the cross-site tracking and mapping of people. Emails are used exactly like cookies in this sense. Businesses track and sell who is using what sites so they can better map who can be sold what products. When people use more obvious canaries such as putting the name of the business in the alias it causes these companies to get upset because they have to exclude it from tracking. Some are even starting to label it as fraud despite not being so. This is why canaries/aliases should be obscure and only the creator should know who they map to.
Have you considered not requiring email at all? Those are my favorite sites. Your site provides some good or service, I just want that from you. But if I do, chances are I and younger people in general don't prefer email since there are a myriad of other options.
Whether or not I am a member of amazon is a very serious privacy issue for me depending on who sees that information and correlates it with other info.
For security, this terrible lazy way of relying on email causes a lot of problems for users. Access to your site should not depend on a central point of failure: users' email. Believe me when I say getting your email pwned is made even more horrible by the fact that random accounts are now also compromised. Doesn't matter if you use a password manager. If you use 2fa, you have to have some means of reseting accounts other than email, else you're just federating to email.
If you just want to federate thr real authentication to their email provider them use Oauth2 with Google, Github, Facebook and Microsoft. Let them do auth but don't require email.
At this rate email will outlive ipv4! Lol
If the data is public anyway (eg usernames on forums) then you acn check it before submitting - it's availanle to anyone anyway.
If the data isn't public and sensitive...
You know, if the email address is the right one, then the registration form would be sent (and delivered, most of the time) to it, but if it's not - then not. So for the emails there is no reason to disclose the existence of the account with such email at all.
But you should occasionly check you mail bounces and attempts to register with an existing addresses.
HN is a good example of a different tradeoff. It uses usernames and usernames can be anonymous. Email is optional on the user profile. Not providing it means:
1. the feature of password recovery/reset is unavailable.
2. other users won't be able to directly contact you via email (and therefore this prioritizes privacy over other features/functionality).
As others have suggested, you can use the email for sending a context specific magic link for signin/registration completion.
Please read the OWASP guidelines for this, on the Authentication part. It documents the right checks and response messages to show to the user.
Assuming the same user on site a and b are the same based on username is not a good idea.
You can go with the following flow:
- User enters email in registration form and submits.
- You return a thank you message saying that you sent instructions to the email address.
If the email address doesn't exist in your database, the link is for user creation and choosing a password.
If the email address was in the database, your email says that someone tried to register with the same email address, ask the person if it was them, and ask them if they forgot they had an account with the service. You may provide a link to the sign-in page, or to reset the password.
External visitor has no information on whether the email has an account or not, and the owner of the email has all the information.