Identity verification development

For information on this feature that are not development-specific, see the feature documentation.

Feature flags

Because of the many registration paths and multiple verification stages, identity verification has several feature flags.

Before you enable these features, ensure hard email confirmation is enabled and Arkose is configured properly.

Feature flag name	Description
`identity_verification_phone_number`	Turns on phone verification for medium risk users for all flows.
`identity_verification_credit_card`	Turns on credit card verification for high risk users for all flows.

You can triage and debug issues raised by identity verification with the GitLab production logs.

To view logs associated to the email stage for a user:

Query the GitLab production logs with the following KQL:

KQL: json.controller:"RegistrationsIdentityVerificationController" AND json.username:replace_username_here

Valuable debugging information can be found in the json.action and json.location columns.

To view logs associated to the phone stage for a user:

Query the GitLab production logs with the following KQL:

KQL: json.message: "IdentityVerification::Phone" AND json.username:replace_username_here

On rows where json.event is Failed Attempt, you can find valuable debugging information in the json.reason column such as:

Reason	Description
`invalid_phone_number`	Either there was a typo in the phone number, or the user used a VOIP number. GitLab does not allow users to sign up with non-mobile phone numbers.
`invalid_code`	The user entered an incorrect verification code.
`rate_limited`	The user had 10 or more failed attempts, so they were rate-limited for one hour.
`related_to_banned_user`	The user tried a phone number already related to a banned user.

To view Telesign status updates logs for SMS sent to a user, query the GitLab production logs with:

json.message: "IdentityVerification::Phone" AND json.event: "Telesign transaction status update" AND json.username:<username>

Status update logs include the following fields:

Field	Description
`telesign_status`	Delivery status of the SMS. See the Telesign documentation for possible status codes and their descriptions.
`telesign_status_updated_on`	A timestamp indicating when the SMS delivery status was last updated.
`telesign_errors`	Errors that occurred during delivery. See the Telesign documentation for possible error codes and their descriptions.

To view logs associated to the credit card stage for a user:

Query the GitLab production logs with the following KQL:

KQL: json.message: "IdentityVerification::CreditCard" AND json.username:replace_username_here

On rows where json.event is Failed Attempt, you can find valuable debugging information in the json.reason column such as:

Reason	Description
`rate_limited`	The user had 10 or more failed attempts, so they were rate-limited for one hour.
`related_to_banned_user`	The user tried a credit card number already related to a banned user.

To view logs associated with the credit card stage for high-risk users:

Query the GitLab production logs with the following KQL:

json.controller:"SubscriptionsController" AND json.action:"payment_form" AND json.params.value:"cc_registration_validation"

For a walkthrough and high level explanation of the code, see Identity Verification - Code walkthrough.

For end-to-end production and staging tests to function properly, GitLab allows QA users to bypass identity verification.

The Anti-abuse team owns identity verification. You can join our channel on Slack: #g_anti-abuse.

For help with Telesign: