Should I implement email verification during sign up?
I'm working on a new app, and wonder if we should verify user email address during sign up. I notice some app allow user to sign up with a fake email address e.g. abc@abc.abc, but some doesn't. What's the pro and con for allowing fake email address? Thanks Please do. I hate getting transactional email intended for someone else because the devs don't verify email addresses. It doesn't even mean you have to do verification early in the onboarding process, but definitely before you start sending any email. This actually sounds like a good solution. That is, you want to allow people to stroll in and start using your app. Great. But just don't send out any emails on their behalf unless/until they've clicked the verification link in the one email you will send to them. This makes me think - should there be a link in the email that says, "This was not me" -- that allows the website dev to ban the offending IP? > This makes me think - should there be a link in the email that says, "This was not me" -- that allows the website dev to ban the offending IP? Maybe not ban the IP but definitely remove the email from the account (after a confirmation CTA). Some services do this and if I known them I hit the link. Yep. I snagged a gmail address early on without numbers. I get lots of emails for people with similar initials to mine but who have some number after the name. None of them had verification messages that I could have rejected (and those that did, I safely ignored and never got spammed by). same here - got my full (common enough) name while gmail was in closed invite-only beta. I get a ton of emails for others on a weekly basis with a ton of info not meant for me to see. One specific account "I" signed up for was a playstation account that actually prevented me from signing up for my own account. It took ~1hr of live chat with Sony to actually create an account with my email address. (And yes I am aware I can add additional periods or +keyword to the email) The best is when these transactional emails don't have a way to unsubscribe (thanks Comcast). It depends what you’re building :) But in general, always verify. You can let users in with an unverified email (better for growth), but you should still send the email and handle verification. I’ll give you an example. Say you want to add social logins and want avoid duplicated account. You can implement auto linking. I sign up with my email, then I log in with google, if it’s the same email AND I did verify it, then you can auto link. If I didn’t verify my email, you must not. It depends on what you are using the email address for. Some things you might want to use it for: If you are just looking for a globally unique identifier and aren't doing any of the other stuff, you could skip verification. But in most cases you'll want to do this. Incidentally I hope you are using a drop in auth service or a library--there's a lot out there and no need to roll your own. And if you are allowing a fake email address, why not allow plain old anonymous access? That would be simpler and wouldn't clog up your database. Yeah, we are using rails devise gem to handle our login. Instead of verification, you could use the emailaddress as a login-method. Don't use passwords, but let the users login by email, sending a mail with a time-limited authentication-token and make them login that way. That way you don't have to deal with passwords, and you will know the user has a mailbox which they control. I’ve thought about this method. I think this is what should be done for sites where you log in very infrequent (say, yearly). Do you know of any examples where this is implemented? https://medium.com uses it. And I'm working on a little project myself which will use this way of login. About the frequency: there aren't many situations where a user has access to your application, but not to email. I've been thinking about that, but when you have access to a browser, (most of the times) you have access to your mail. I despise this method. I rarely have such a negative instinctive take on minor tech things. The annoyance of having to click an email link though does it for me. As someone who's about to implement this myself (for a long time, while in beta, I allowed users to skip typing their email), I can tell you this: some of the feedback you will get will be much more polite if people know you can reply back. Just my $.02. I'll suggest to definitely do it and prevent from Spam/Junk logins.
I'm also doing that in my app right now.
In most of these cases, you want to verify not just that someone knows an email address, but that they have access to and/or control the inbox. This is what verification proves. * knowing this is a real person
* marketing communication
* security/data breach communication
* forgot password flows
* step up authentication (send a code to an email)
* user lookup if one user wants to share something with another
* putting users on teams/allowing special access based on domains