I apologize if this is a somewhat stupid question, but I am very new to the REST programming realm. I have an application that is both web, mobile and machine accessible, and I will be leveraging REST-like web services for the mobile and machine part. I was going to use the S3 authentication model for the REST requests, however that requires the user account to already be setup.
If the user initiates his use of the service via an iPhone or other mobile device, what is the best way to securely create the user account? As it stands right now, anyone can create an account that will be created inactive and then activated via email link to a CAPTCHA web page. But I am afraid this could still lead to DOS attacks given the fact an email is generated for each request.
Any suggestions on improving this model and/or assuring the request does in fact come from an iPhone?