PKCE vs Dynamic Client Registration for public clients

The RFC recommends to use PKCE for web (public client)/native apps. It’s not stated that Dynamic Client Registration (DCR) is bad but it’s not stated as an alternative either. I am wondering if there is any negative aspect of the DCR that i am overlooking.

I would say that the biggest difference between the two is the fact that PKCE is much easier to implement with less bookkeeping while offering about the same protections as DCR.

Looking through the use cases defined in the DCR specification, it looks like the use case of native app or SPA app is included.

Is there a reason why is not included in the best practices? Which use case is ideal to use the DCR?

Should I generate a lot of random serial keys and pick one for each registration or generate 1 for each user?

I’m talking about Online activation. My current workflow is:

  1. User pays via paypal (without registration)
  2. Paypal performs a request to my API.
  3. My API returns a serial key to the user.
  4. Then the user is able to register using this serial key.

Is a “pay to register then use” and not a “register then pay to use”.

So the question is:

  • Should I generate (let’s say 100) keys and store them in DB then pick the first one available when someone pays via paypal? Isn’t this vulnerable to “guess” attacks?
  • Should I generate 1 random key each time a user pays via paypal? Can’t this approach generate 2 equal keys? I mean I have no info from the user except what paypal tells me so I should somehow use a random function OR loop the entire table comparing the serial keys.

Sending static registration links via email

In our mobile application, users need to register first before they can use it. After successful registration, they an now login and use features of the app. Now we will have a feature in our application where all users who have records in the active directory and “master” database but not yet registered in the app would be sent sms with a registration link. The details are the ff.

  1. A static link is sent (not the usual dynamic ones where a token is appended to the url)

  2. When that link is clicked, an authentication page would show up in the machines internet browser and show a page where it asks for the user’s email address and birthday. When the entered information is valid, a one time password is sent via sms and if valid, the user can now proceed with registration

The question is, is this kind of process secure? there was a debate within our team whether the link sent via sms should be dynamic or static? what are the possible vulnerabilities of this kind of process? doesn’t seem to violate any OWASP standard.

Registration form – Delivery or Billing Address first?

This is a UI question for all you e-commerce design experts out there.
Is there a generally accepted standard for which address to capture first from new registrations on a typical online shopping site. Should you fist ask the new customer for:
1. their billing address. or
2. their delivery address?

In my humble view we should first ask for their delivery address. My reasoning is this: since they are probably in the middle of checking out, and we don't want to slow down this process any…

Registration form – Delivery or Billing Address first?

Do registration codes need expiry?

I work on an application where users are sent a unique registration code in the post. They use this, along with other personal information known to the user, to confirm the identity of the user upon creating a new account.

Does the unique registration code sent in the post need an expiry time (like after 30 days)?

The argument that has been made to me is that if there is no expiry then a fraudster has longer to collate the personal information about the intended user to confirm identity. Therefore, they argue that adding an expiry decreases the likelyhood of fraudsters creating an account posing as the intended user.

However, if that’s the case, I would imagine that having an expiry would make no difference. If a fraudster has intercepted this mail then the individual has been personally targeted and the fraudster would be able to obtain the personal information to request another code?