doc/development/identity_verification.md


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134

---
stage: Govern
group: Anti-Abuse
info: Any user with at least the Maintainer role can merge updates to this content. For details, see https://docs.gitlab.com/ee/development/development_processes.html#development-guidelines-review.
---

# Identity verification development

For information on this feature that are not development-specific, see the [feature documentation](../security/identity_verification.md).

## Feature flags

Because of the many registration paths and multiple verification stages, identity verification has several feature flags.

Before you enable these features, ensure [hard email confirmation](../security/user_email_confirmation.md) is enabled and [Arkose](../integration/arkose.md#configuration) is configured properly.

| Feature flag name | Description |
|---------|-------------|
| `identity_verification` | Turns on email verification for all registration paths |
| `identity_verification_phone_number` | Turns on phone verification for medium risk users for all flows (the Arkose challenge flag for the specific flow and the `identity_verification` flag must be enabled for this to have effect) |
| `identity_verification_credit_card` | Turns on credit card verification for high risk users for all flows (the Arkose challenge flag for the specific flow and the `identity_verification` flag must be enabled for this to have effect) |
| `arkose_labs_signup_challenge` | Enables Arkose challenge for all flows, except the Trial and OAuth flows |
| `arkose_labs_trial_signup_challenge` | Enables Arkose challenge for the Trial flow (the `arkose_labs_signup_challenge` flag must be enabled as well for this to have effect) |
| `arkose_labs_oauth_signup_challenge` | Enables Arkose challenge for the OAuth flow |

## Logging

You can triage and debug issues raised by identity verification with the [GitLab production logs](https://log.gprd.gitlab.net).

### View logs associated to a user and email verification

To view logs associated to the [email stage](../security/identity_verification.md#email-verification) for a user:

- Query the GitLab production logs with the following KQL:

  ```plaintext
  KQL: json.controller:"IdentityVerificationController" AND json.username:replace_username_here
  ```

Valuable debugging information can be found in the `json.action` and `json.location` columns.

### View logs associated to a user and phone verification

To view logs associated to the [phone stage](../security/identity_verification.md#phone-number-verification) for a user:

- Query the GitLab production logs with the following KQL:

  ```plaintext
  KQL: json.message: "IdentityVerification::Phone" AND json.username:replace_username_here
  ```

On rows where `json.event` is `Failed Attempt`, you can find valuable debugging information in the `json.reason` column such as:

| Reason  | Description |
|---------|-------------|
| `invalid_phone_number` | Either there was a typo in the phone number, or the user used a VOIP number. GitLab does not allow users to sign up with non-mobile phone numbers. |
| `invalid_code` | The user entered an incorrect verification code. |
| `rate_limited` | The user had 10 or more failed attempts, so they were rate-limited for one hour. |
| `related_to_banned_user` | The user tried a phone number already related to a banned user. |

#### View Telesign SMS status update logs

To view logs of Telesign status updates for an SMS sent to a user:

1. Get a `telesign_reference_id` value for an SMS sent to a specific user:

   ```plaintext
   json.message: "IdentityVerification::Phone" AND json.username:<username>`
   ```

1. Search for status update logs associated with `telesign_reference_id` value:

   ```plaintext
   json.message: "IdentityVerification::Phone" AND json.event: "Telesign transaction status update" AND json.telesign_reference_id:replace_ref_id_value_here`
   ```

Status update logs include the following fields:

| Field  | Description |
|---------|-------------|
| `telesign_status` | Delivery status of the SMS. See the [Telesign documentation](https://developer.telesign.com/enterprise/reference/smscallbacks#status-codes) for possible status codes and their descriptions. |
| `telesign_status_updated_on` | A timestamp indicating when the SMS delivery status was last updated. |
| `telesign_errors` | Errors that occurred during delivery. See the [Telesign documentation](https://developer.telesign.com/enterprise/reference/smscallbacks#status-codes) for possible error codes and their descriptions. |

### View logs associated to a user and credit card verification

To view logs associated to the [credit card stage](../security/identity_verification.md#credit-card-verification) for a user:

- Query the GitLab production logs with the following KQL:

  ```plaintext
  KQL: json.message: "IdentityVerification::CreditCard" AND json.username:replace_username_here
  ```

On rows where `json.event` is `Failed Attempt`, you can find valuable debugging information in the `json.reason` column such as:

| Reason  | Description |
|---------|-------------|
| `rate_limited` | The user had 10 or more failed attempts, so they were rate-limited for one hour. |
| `related_to_banned_user` | The user tried a credit card number already related to a banned user. |

### View logs associated with high-risk users

To view logs associated with the [credit card stage](../security/identity_verification.md#credit-card-verification) for high-risk users:

- Query the GitLab production logs with the following KQL:

  ```plaintext
  json.controller:"SubscriptionsController" AND json.action:"payment_form" AND json.params.value:"cc_registration_validation"
  ```

## Code walkthrough

<i class="fa fa-youtube-play youtube" aria-hidden="true"></i>
For a walkthrough and high level explanation of the code, see [Identity Verification - Code walkthrough](https://www.youtube.com/watch?v=DIsnMiNzND8).

## QA Integration

For end-to-end production and staging tests to function properly, GitLab [allows QA users to bypass identity verification](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/117633).

## Additional resources

<!-- markdownlint-disable MD044 -->
The [Anti-abuse team](https://about.gitlab.com/handbook/engineering/development/data-science/anti-abuse/#team-members) owns identity verification. You can join our channel on Slack: [#g_anti-abuse](https://gitlab.slack.com/archives/C03EH5HCLPR).
<!-- markdownlint-enable MD044 -->

For help with Telesign:

<!-- markdownlint-disable MD044 -->
- Telesign/GitLab collaboration channel on Slack: [#gitlab-telesign-support](https://gitlab.slack.com/archives/C052EAXB6BY)
<!-- markdownlint-enable MD044 -->
- Telesign support contact: `support@telesign.com`
- [Telesign portal](https://teleportal.telesign.com/)
- [Telesign documentation](https://developer.telesign.com/enterprise/docs/get-started-with-docs)