Critical Security Risk: Preventing Unauthorized User Registrations

My user registration function allows users to register by retrieving their principal ID. While it blocks anonymous principals, it does not verify whether a principal is genuinely issued by ICP Identity, NFID, or a valid wallet. This makes it vulnerable to:

• Fake Principals – Attackers can generate scripted principals that are not tied to real users.
• Spam & Sybil Attacks – Mass registrations can bloat storage and exploit canister resources.
• Cycle Drainage – Automated calls could drain cycles via fake signups.

Key Question:

How can I strictly validate that only authenticated principals from Internet Identity, NFID, or trusted wallets can register?

• Does ICP provide a built-in verification method?
• Are there external ways (like cryptographic proof or a verification API) to check principal authenticity?

Looking for ICP-native solutions or external best practices to prevent fake registrations and ensure only verified users can be stored.

There is a verified credential api and a number of folks have made attempts at implementing it. (See a recent post on blockid). Of course you have to trust the issuer of the credential. I think decideai does some verification with ai? @kristofer (I think) did a very cool attestation demo that let you pull things from the evm world like gitcoin passport.

But directly, there isn’t any straightforward way to guarantee a principal came from a “wallet software”. The principals are a theoretically infinite(well ok limited by the byte length) set of x,y coordinates on a curve. I guess in theory you should be able to check if a public key is on this curve or not? But the point is for you to not be able to tell for privacy reasons.

If you don’t want “fake” people signing up then you need to implement verification.