diff --git a/src/Microsoft.AspNet.Identity/UserOptions.cs b/src/Microsoft.AspNet.Identity/UserOptions.cs
index 84aa9ad34c..e8cdf38b86 100644
--- a/src/Microsoft.AspNet.Identity/UserOptions.cs
+++ b/src/Microsoft.AspNet.Identity/UserOptions.cs
@@ -1,22 +1,55 @@
 // Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
-using System.Text.RegularExpressions;
+using System;
 
 namespace Microsoft.AspNet.Identity
 {
+    /// <summary>
+    /// Options for user validation.
+    /// </summary>
     public class UserOptions
     {
+        /// <summary>
+        /// Initializes a new instance of the <see cref="UserOptions"/> class.
+        /// </summary>
         public UserOptions()
         {
             //User.RequireUniqueEmail = true; // TODO: app decision?
         }
 
+        /// <summary>
+        /// Gets or sets the regular expression used to validate user names.
+        /// </summary>
+        /// <value>
+        /// The regular expression used to validate user names.
+        /// </value>
+        /// <remarks>
+        /// As regular expressions can be subject to Denial of Service attacks, depending on their complexity and user input,
+        /// validation via regular expressions will timeout and fail after the value set in the <see cref="UserNameValidationRegexTimeout"/>
+        /// property.
+        /// </remarks>
         public string UserNameValidationRegex { get; set; } = "^[a-zA-Z0-9@_\\.]+$";
 
         /// <summary>
-        ///     If set, enforces that emails are non empty, valid, and unique
+        /// Gets or sets the timeout value used after which user name validation via the <see cref="UserNameValidationRegex"/> will fail if it has
+        /// not completed.
         /// </summary>
+        /// <value>
+        /// The timeout value used after which user name validation via the <see cref="UserNameValidationRegex"/> will fail if it has not completed.
+        /// </value>
+        /// <remarks>
+        /// The default value is 20 milliseconds.
+        /// </remarks>
+        public TimeSpan UserNameValidationRegexTimeout { get; set; } = new TimeSpan(0,0,0,0,20);
+
+        /// <summary>
+        /// Gets or sets a flag indicating whether the application requires unique emails for its users.
+        /// </summary>
+        /// <value>
+        /// A flag indicating whether the application requires unique emails for its users.
+        /// This will be true if the application requires each user to have their own, unique email, otherwise false.
+        /// </value>
         public bool RequireUniqueEmail { get; set; }
     }
 }
\ No newline at end of file
diff --git a/src/Microsoft.AspNet.Identity/UserValidator.cs b/src/Microsoft.AspNet.Identity/UserValidator.cs
index 9c5b743769..a237f1dad6 100644
--- a/src/Microsoft.AspNet.Identity/UserValidator.cs
+++ b/src/Microsoft.AspNet.Identity/UserValidator.cs
@@ -13,7 +13,7 @@ using System.Threading.Tasks;
 namespace Microsoft.AspNet.Identity
 {
     /// <summary>
-    ///     Validates users before they are saved
+    /// Provides validation services for user classes.
     /// </summary>
     /// <typeparam name="TUser"></typeparam>
     public class UserValidator<TUser> : IUserValidator<TUser> where TUser : class
@@ -58,7 +58,8 @@ namespace Microsoft.AspNet.Identity
             {
                 errors.Add(Describer.InvalidUserName(userName));
             }
-            else if (manager.Options.User.UserNameValidationRegex != null && !Regex.IsMatch(userName, manager.Options.User.UserNameValidationRegex))
+            else if (manager.Options.User.UserNameValidationRegex != null && 
+                !Regex.IsMatch(userName, manager.Options.User.UserNameValidationRegex, RegexOptions.CultureInvariant, manager.Options.User.UserNameValidationRegexTimeout))
             {
                 errors.Add(Describer.InvalidUserName(userName));
             }