I know that deleting users isn't possible at the moment, so we use the disable API to "delete" them. We have a very high staff fluctuation and our user name policy allows that usernames of retired staff members can be reused. Lets say "Bob Smith" retires and his Active Directory name smithb is removed (and disabled in Matrix, because deletion is impossible). Some weeks later "Bill Smith" joins the company and gets the Active Directory username smithb because its no longer present in the directory. During his first element login he authenticates with his Active Directory credentials (ma1sd) and gets asked to provide his security key (the one of the retired staff member I assume) instead of creating a new one because the old user object is still in the matrix database.

I see three possible solutions to this problem and would kindly ask to implement one of them in the future:

1. Make it possible to completely delete Users
2. Please add the security key to the list of deleted profile values (room memberships, 3pids,...)
3. Change the matrix UID to something ramdom when disabeling a user

Another solution would be to use randomly created UIDs when the authentication happens via 3pid (ma1sd, saml,..). Our staff members will never use or need to remember their actual Matrix Name because of the conected identity provider.

With kind regards