Another seperate issue: I have allowed unverified email registrations to create a session to access my app. I have gated features in my app to only allow access after verification. The issue is when another user tries to create an account with the same email address, ory blocks that user from registering with the 4000007 error above. This is a problem because a bad actor can squat on unverified email addresses blocking real users that actually own that email address from registering. Ory should not consider unverified email registrations as actual signups. What should I do here?

Hey @broad-address-23795 How would you like this case to be handled? You could for example periodically remove all unverified accounts via the admin API - this would make it impossible to “squat” accounts. Is this a hypothetical scenario or something you already experienced in your service?

If unverified sessions are allowed, I think I would like Ory to allow the registration of multiple accounts with the same email but only allow 1 to be verified. It would be the apps responsibility to check the verification state of that account for access. But a single user shouldnt be able to squat emails that they dont own and not block registration for others. admin api seems to be the only solution now. its a rare case but does happen.

Gotcha. You could open an issue in GitHub to gather more feedback from the community - right now it seems you are the only user who has this concern. I dont expect anything to change there unless this is an issue that affects a significant major portion of the user base, since "allow the registration of multiple accounts with the same email" (given that email is the main identifier) would be a huge breaking change.

Thanks will dig deeper. There are already multiple issues in ory repos related to account enumeration concerns.

Hey @broad-address-23795 one great way to surface this would be to gather these issues all and post them in a github discussion! then we can see where we have duplicate issues or general get a better overview of how many in the community are concerned about account enumeration. Feel free to ping me in the discussion as well, but I usually check new ones weekly at least.