...
Add flag, isExternalIdValidated. At the very least it should toggle between current behavior (any string can be set) and a stricter set of rules described below.
I would have this flag validate and assign an ID, require it at sign up, and not allow it to be unassigned, only deleted when the user is deleted (for testing). There are actually many behaviors and there may need to be more than one flag:
...