Should I implement email verification during sign up?

12 pointsmontekaka4y ago16 comments

I'm working on a new app, and wonder if we should verify user email address during sign up. I notice some app allow user to sign up with a fake email address e.g. abc@abc.abc, but some doesn't. What's the pro and con for allowing fake email address? Thanks

16 comments

arkitaip4y ago

Please do. I hate getting transactional email intended for someone else because the devs don't verify email addresses. It doesn't even mean you have to do verification early in the onboarding process, but definitely before you start sending any email.

readonthegoapp4y ago

This actually sounds like a good solution.

That is, you want to allow people to stroll in and start using your app.

Great.

But just don't send out any emails on their behalf unless/until they've clicked the verification link in the one email you will send to them.

This makes me think - should there be a link in the email that says, "This was not me" -- that allows the website dev to ban the offending IP?

arkitaip4y ago

> This makes me think - should there be a link in the email that says, "This was not me" -- that allows the website dev to ban the offending IP?

Maybe not ban the IP but definitely remove the email from the account (after a confirmation CTA). Some services do this and if I known them I hit the link.

Jtsummers4y ago

Yep. I snagged a gmail address early on without numbers. I get lots of emails for people with similar initials to mine but who have some number after the name. None of them had verification messages that I could have rejected (and those that did, I safely ignored and never got spammed by).

mttrms4y ago

same here - got my full (common enough) name while gmail was in closed invite-only beta.

I get a ton of emails for others on a weekly basis with a ton of info not meant for me to see.

One specific account "I" signed up for was a playstation account that actually prevented me from signing up for my own account. It took ~1hr of live chat with Sony to actually create an account with my email address.

(And yes I am aware I can add additional periods or +keyword to the email)

dmarlow4y ago

The best is when these transactional emails don't have a way to unsubscribe (thanks Comcast).

ecesena4y ago

It depends what you’re building :)

But in general, always verify. You can let users in with an unverified email (better for growth), but you should still send the email and handle verification.

I’ll give you an example. Say you want to add social logins and want avoid duplicated account. You can implement auto linking. I sign up with my email, then I log in with google, if it’s the same email AND I did verify it, then you can auto link. If I didn’t verify my email, you must not.

mooreds4y ago

It depends on what you are using the email address for. Some things you might want to use it for:

    * knowing this is a real person
    * marketing communication
    * security/data breach communication
    * forgot password flows
    * step up authentication (send a code to an email)
    * user lookup if one user wants to share something with another
    * putting users on teams/allowing special access based on domains

In most of these cases, you want to verify not just that someone knows an email address, but that they have access to and/or control the inbox. This is what verification proves.

If you are just looking for a globally unique identifier and aren't doing any of the other stuff, you could skip verification. But in most cases you'll want to do this.

Incidentally I hope you are using a drop in auth service or a library--there's a lot out there and no need to roll your own.

mooreds4y ago

And if you are allowing a fake email address, why not allow plain old anonymous access? That would be simpler and wouldn't clog up your database.

montekakaOP4y ago

Yeah, we are using rails devise gem to handle our login.

OldSamaritan4y ago

Instead of verification, you could use the emailaddress as a login-method. Don't use passwords, but let the users login by email, sending a mail with a time-limited authentication-token and make them login that way.

That way you don't have to deal with passwords, and you will know the user has a mailbox which they control.

randomlurking4y ago

I’ve thought about this method. I think this is what should be done for sites where you log in very infrequent (say, yearly). Do you know of any examples where this is implemented?

OldSamaritan4y ago

https://medium.com uses it. And I'm working on a little project myself which will use this way of login.

About the frequency: there aren't many situations where a user has access to your application, but not to email. I've been thinking about that, but when you have access to a browser, (most of the times) you have access to your mail.

skinnymuch4y ago

I despise this method. I rarely have such a negative instinctive take on minor tech things. The annoyance of having to click an email link though does it for me.

CinematicStudio4y ago

As someone who's about to implement this myself (for a long time, while in beta, I allowed users to skip typing their email), I can tell you this: some of the feedback you will get will be much more polite if people know you can reply back.

Just my $.02.

sanmak4y ago

I'll suggest to definitely do it and prevent from Spam/Junk logins. I'm also doing that in my app right now.

j / k navigate · click thread line to collapse

16 comments

arkitaip4y ago

readonthegoapp4y ago

This actually sounds like a good solution.

That is, you want to allow people to stroll in and start using your app.

Great.

But just don't send out any emails on their behalf unless/until they've clicked the verification link in the one email you will send to them.

This makes me think - should there be a link in the email that says, "This was not me" -- that allows the website dev to ban the offending IP?

arkitaip4y ago

> This makes me think - should there be a link in the email that says, "This was not me" -- that allows the website dev to ban the offending IP?

Maybe not ban the IP but definitely remove the email from the account (after a confirmation CTA). Some services do this and if I known them I hit the link.

Jtsummers4y ago

mttrms4y ago

same here - got my full (common enough) name while gmail was in closed invite-only beta.

I get a ton of emails for others on a weekly basis with a ton of info not meant for me to see.

(And yes I am aware I can add additional periods or +keyword to the email)

dmarlow4y ago

The best is when these transactional emails don't have a way to unsubscribe (thanks Comcast).

ecesena4y ago

It depends what you’re building :)

But in general, always verify. You can let users in with an unverified email (better for growth), but you should still send the email and handle verification.

mooreds4y ago

It depends on what you are using the email address for. Some things you might want to use it for:

    * knowing this is a real person
    * marketing communication
    * security/data breach communication
    * forgot password flows
    * step up authentication (send a code to an email)
    * user lookup if one user wants to share something with another
    * putting users on teams/allowing special access based on domains

In most of these cases, you want to verify not just that someone knows an email address, but that they have access to and/or control the inbox. This is what verification proves.

If you are just looking for a globally unique identifier and aren't doing any of the other stuff, you could skip verification. But in most cases you'll want to do this.

Incidentally I hope you are using a drop in auth service or a library--there's a lot out there and no need to roll your own.

mooreds4y ago

And if you are allowing a fake email address, why not allow plain old anonymous access? That would be simpler and wouldn't clog up your database.

montekakaOP4y ago

Yeah, we are using rails devise gem to handle our login.

OldSamaritan4y ago

That way you don't have to deal with passwords, and you will know the user has a mailbox which they control.

randomlurking4y ago

I’ve thought about this method. I think this is what should be done for sites where you log in very infrequent (say, yearly). Do you know of any examples where this is implemented?

OldSamaritan4y ago

https://medium.com uses it. And I'm working on a little project myself which will use this way of login.

skinnymuch4y ago

I despise this method. I rarely have such a negative instinctive take on minor tech things. The annoyance of having to click an email link though does it for me.

CinematicStudio4y ago

Just my $.02.

sanmak4y ago

I'll suggest to definitely do it and prevent from Spam/Junk logins. I'm also doing that in my app right now.

j / k navigate · click thread line to collapse