Account Activation

Note: This document is based on Jelastic version 4.0

Automatic creation of numerous users via malicious software (bots) can cause the platform loading artificially and harmful overuse of resources, which will limit the legitimate users’ access to the platform’s computing power. In order to cull the fake signups and get rid of such problems, you are able to switch on the additional verifications during registration.

Activation is a base solution, provided by obliging users to follow the link to the special form received inside the welcome email. In such a way, the dashboard remains inaccessible until a user activates his account and specifies the desired password in this form. Users’ experience during a new account creation with activation enabled is described in the Account Registration document.

Tip: Another way to secure your platform from fake signups invasion is setting the restriction of account email by mask. In addition, in case of an absolute necessity, you have an ability to disable the registration at all.

And within this guide, you’ll discover how to:

preconfigure your Jelastic installation for the account activation appliance
enable the mandatory account activation, which can be additionally complexed with
- mobile number verification (for production use)
- captcha challenge-response test (for POC/demo projects)

Required Preconfigurations

Before enabling activation, it’s necessary to adjust your Jelastic platform for a new registration workflow through tuning the appropriate email templates and registration forms.

Email Customization

You should customize the welcome email templates (that users receive just after submitting the signup form) via JCA panel. We’ll show an example with our default template for trial users group, and you should perform the similar changes for your custom ones.

What’s required to be done:

Delete the lines with user’s credentials (i.e. Login and automatically generated Password)
Change the description of link for automatic signing in to the appropriate one, e.g. “Follow the next link in order to complete the registration:” (as this URL will lead to the activation form after the protection enabling)

Ensure you’ve customized the welcome email templates for all the registration user groups. Do not forget about a separate group for collaboration users (if you have one). Group-to-group conversion welcome emails (e.g. billing one) do not require any changes, as they are sent only after the group is changed, not after signing up.

Thus your welcome email template will look like the following:

Registration Form

For the desired display of a new activation form, you can customize its texts. We provide English and Russian variants of the form localization by default. In the case some additional languages are integrated to your platform, you need to translate the form texts and upload them alongside the default ones. Contact the Jelastic team in order to get the appropriate files and instruction.

Note: that for the appliance of mobile number verification via call, you’ll have to preliminary adjust the form texts according to the recommendations (as, by default, they are stated for the SMS code receiving method).

Also, pay attention to the logo at the top of the form - it’s similar to the one at the dashboard sign in form and is taken from the JCA > System settings > jclient > HOSTER_LOGO parameter. In the case you are not satisfied with how it’s displaying at a new form, you’ll have to customize it to be suitable for both use cases. Or, you can specify a separate logo to be used here by following this instruction.

In addition, check your custom signup forms (if there are any) and make sure the new registration workflow will not obstruct anything.

Enabling Activation

Once all the abovementioned activities are completed, you can enable the activation protection by following the next steps:

Navigate to the JCA > System Settings section, enable the Expert mode, and expand the common parameter’s group.
Find the signup.activation.enabled parameter and change its default false value to true.

For now, all of the newly signed up users will be obliged to activate their accounts in order to prove they are real customers and complete the registration. Herewith, you can additionally specify one of the extra verification methods for the new signups to be checked with: using either mobile number or captcha account confirmation.

Mobile Number Verification

Mobile number verification is designed to prevent fake signups through limiting the amount of trial accounts for a single user. If enabled, this option adds one more field to the activation form, where a user have to type a mobile phone number for getting an SMS or mobile call with an account activation code. Herewith, one number could be bound to a single account only.

Note: For this type of verification to be operable, you need to preliminary set up either a supplemental SMS-sending tool (e.g. Twilio), or, as a more secure alternative, a phone call verification service (for example - OnVerify).

By default, the registration form is configured for the SMS verification usage (whilst the way it can be adjusted for confirmation via call is described within the linked above doc on OnVerify appliance).

So, after a user clicks the Send/Get a Call button under the specified phone number, the 4-cell field for entering the received verification code will appear below:

In case an SMS/call wasn’t received, a user can either Edit the phone number (if it was specified incorrectly) or Contact support (if any other issue occurred). Also, the amount of tries for the verification code entering is limited per each phone number and can be configured via JCA.

The users’ experience during a new account creation with SMS/call verification enabled is described in the Account Registration document.

Enabling Mobile Phone Verification

So, in order to add mobile phone verification to the activation form, perform the following steps:

Navigate to the JCA > System Settings section, enable the Expert mode and expand the common parameter’s group.
Double-click on the signup.verification.method quota and state the SMS value for it (for both message or call verification; the default one is NONE).

Note: Mobile phone verification will work only in case signup.activation.enabled is set to true and the appropriate tool (e.g. Twilio or OnVerify) is configured to convey an activation code.

In such a way, all the new users will be obliged to pass the check with an activation code, received via mobile phone number.

Setting the Amount of Code Input Attempts

In order to control the limit of tries for entering the received activation code, the signup.sms.code.attempts quota (located within the System Settings > common JCA section whilst the Expert mode enabled) is used, which default value is 5.

If a user exceeds the stated amount of incorrect code input attempts, the verification will be failed. In this case, the remaining way to complete the registration is to specify another phone number.

The above described signup workflow is supplied with a number of dedicated parameters for the signup API method. The detailed information can be found in the Direct URL for Signup doc.

Captcha

One more protection option you can also use in combination with obligatory account activation is captcha verification. This will add a special widget to the activation form, displaying a random combination of characters. They should be retyped by the user to the corresponding field, in order to pass the security check.

Pay attention: Captcha challenge-response test may be used during project development and testing stages. As for production use, it’s highly recommended to apply mobile number verification, which provides the widest range of protection from malicious software attacks and mass bots registrations.

Users’ experience during a new account creation with captcha enabled is described in the Account Registration document.

Enabling Captcha

For adding a captcha widget to the activation form, perform the following:

Navigate to the JCA > System Settings section, enable the Expert mode, and expand the common parameter’s group.
Find the signup.verification.method parameter and change its value to CAPTCHA (the default one is NONE).

Remember that captcha can be enabled only in the case activation is already switched on.

Hereby, all the new users will be required to pass the captcha verification in addition to the mandatory account activation.