

It's Time To Kill New User Confirmation Email Links - jakequist
http://quist.co/post/4296898464/its-time-to-kill-new-user-confirmation-email-links

======
zb
_Perhaps I’ve missed some obvious reason why the industry still does this._

Because if you get a random email from some site you've never signed up for,
there are two possible scenarios that you cannot distinguish between:

1) Somebody has maliciously signed you up to a legitimate site. 2) A malicious
site is trying to get you to click a random link.

This proposal suffers from a common flaw, in which people assume they can
change just one thing and have everything else in the world stay the same.
Systems don't work like that.

~~~
prsimp
The author addresses the first issue in the paragraph preceding the one you
quoted.

As it currently stands, most 'confirmation e-mails' I get also provide an 'if
this isn't you' section. All the author is arguing is that we can do away with
the confirmation part and keep the 'if this isn't you' part for those edge
cases where a person's email address has been used by someone other than said
person.

~~~
Tichy
But the "if this isn't you" part could be a scam. It would make you click on a
link in an email you did not request, which is a bad idea.

~~~
threedaymonk
That's already the case, isn't it? All emails contain the "if this isn't you
part", so the case of the person who didn't request the email is unchanged.

------
Xurinos
I just want to attach an anecdote here and explain why I prefer confirmation
emails.

One day, somewhere in the last couple months, I checked my email box and saw a
message from some craft site. It was informing me that my paid subscription
was activated and that I was entitled to X, Y, and Z services. I ignored it. I
received another related email the next day. I ignored that, too. When I
received a third with another advertisement, I realized this was legitimate
and that someone had accidentally used my email address! My inclination was to
find someone in control of the site and let them know the mistake so that the
original person could see their offers and track their subscription. I headed
to the website and noticed the login form on the first page.

Curiosity struck me. Was this one of those sites that people make fun of
online with bad security? I clicked the link saying I forgot my password. They
asked not for my username but for my email address. So I entered that. Next
thing I know, my Inbox has an email from the craft site _with the registered
user's plaintext password_!

Uh oh. Is this for real? What if I was a malicious user? I had to see how bad
this situation really was. I logged into the user's account. I was able to
find their home address and phone number, but thankfully (dear Lord,
thankfully), the website made no mention of credit card numbers. I did not
look to see if I could order more service; at that point and in my shock over
the situation, I felt I was deep into some weird grey area and was way past my
welcome. I logged out, found an online contact form, and explained the
situation as well as how they could improve their system to avoid harm to
their users.

The security mistakes in this situation were compounded.

(1) Email alerts went to the wrong person. If you verify the email, the right
people get the messages. If you do not verify the email, the wrong person can
mark your site as spam or take advantage of the situation.

(2) The site stored plaintext passwords. This was a craft site... By the name
of the victim and other factors, I realized that this was some old lady who
has faith in the trustworthiness of the Internet and probably, like most
typical people, uses the same password for multiple sites. And this site
happily handed it over to a stranger. That, my friends, is scary.

People make honest mistakes. If the email address is important for account
management, _send a verification email_. And give the user an opportunity to
fix the problem in the event that that verification fails in some way.

------
sunchild
This article misses a key point. If you want to confirm that the person who
opted into your service is who they say they are. Otherwise, you're looking
forward to abuse complaints from email recipients, and it only takes a few of
those to suspend your Mailchimp (or whatever delivery service) account. You
can also add non-compliance with spam, privacy and other laws to the list of
fun things that could happen if you take this article's advice.

~~~
prsimp
_"In the edge case, where some unauthorized person has signed up using my
email, then include some directions at the bottom of the email that instruct
me how to deal with the abuse. And an extra benefit: If I have a good
experience with your site reporting the abuse, I’ll be more interested to
legitimately check out the site."_

I'm not sure if I just don't understand what both of you are saying, but it
seems he addressed this point towards the end of the post. I can't see how his
solution ('click here if this isn't you') is any different than 'click here to
confirm this is you' as far as potential abuse is concerned.

~~~
zb
Because if you're the innocent target of a malicious sign-up then you
shouldn't have to take any further action - _particularly_ action that could
expose you to further harm, such as clicking on a link randomly emailed to you
from some site you've never heard of - to avoid having your email address
associated with the account.

Edit: You also shouldn't have to be watching your email like a hawk 24/7 just
in case somebody signs you up for something, so that you can stop them from
impersonating you before they do any damage.

In short, it's the difference between opt-in and opt-out. Identity theft
should almost never be opt-out.

~~~
swombat
More than that - a number of services (for example B2B SaaS) depend on knowing
the email identity of their user. Are you John Jones
<john.jones@goldmansachs.com>? Of course you are, you signed up with that
email address and the system accepted you.

If a system like, say, Woobius, doesn't confirm emails, people will abuse this
lack of feature.

------
mc2k
The article assumes that people are happy to click on a link within an email
from an unrecognised source, in order to cancel a fake member account. This
rings all sorts of alarm bells, I would never do that.

If I got an email like that, I would click the spam button and the server
would probably face regular spam blacklist issues from big providers.

~~~
prodigal_erik
This. Silence is not consent, and if you start mailing me regularly because I
did not browse to some URL telling you not to, you are a spammer and I will
treat you as such.

------
ugh
I'm more annoyed by having to pick a (unique) username. My name is too long
and too common, all of the nice short versions are always already gone and why
the hell am I so often not allowed to separate my first and (abbreviated) last
name with a dot? Use my email address as the unique identifier and let me
enter my first and last name or a nickname (which doesn't have to be unique),
please.

Don't make me think. You should never ever have to show me the "This name is
already in use." message. Your design shouldn't even need it. Not everyone has
or would like to have an (as unique as possible) nickname on the web they
would like to use.

(Unique) usernames are the one vestige of the old web I would like to get rid
of post haste. Call me Michael. (I still positively remember signing up to
Facebook because I didn't have to pick a username.)

~~~
ehutch79
the easy solution to this is your email as a username/login. that way it's
guaranteed unique. the only problem is multiple john smiths confusing people

~~~
regularfry
Email addresses may be unique at one point of time, but assuming that they are
unique identifiers for people is problematic because they can legitimately
change hands. For instance, my work email address is <firstname>@<company>.
I'm not the first <firstname> at <company> \- the other one left before I
joined, but two months after I took over the email address I'm _still_
clearing up the accounts with services that made an identity assumption over
email addresses.

~~~
gokhan
Isn't there a problem if you sign-up to services with your "temporary" work
email? Get a gmail account and sit on it, what's wrong with that?

~~~
regularfry
I don't have a "temporary" work email. I'm not sure I understand what you're
suggesting.

------
CWIZO
"When I’m checking my email, the last thing I want to do is context switch
back to the app."

Umm you are signing up for a service, when you click the "register" button,
you are usually presented with a message "check your email for a confirmation
link" so you go do that. Where is context switching here?

Most of the users don't signup for something and then forget about it until
they, by accident, stumble upon the email when they check their inbox the next
time. Or am I wrong?

~~~
carbzilla
I agree. When I sign up for a service the confirmation email is generally
already in my inbox by the time I switch tabs to gmail. Then the confirmation
link takes me back to the site and logs me in, no hard work involved.

Also, I've never registered for a service and decided not to immediately check
my email to activate my account when I'm prompted to. I can't recall a single
time when I've come across a confirmation link while casually checking my
email.

~~~
ScottWhigham
I think your experience is the ideal, however I see sometimes 1-2 _days_
before I've gotten the confirmation emails. Probably once every few months
I'll sign up for something that offers a confirmation email and then - nothing
happens for 5, 10, 30, 45 minutes. Frustrating.

------
neatoincognito
_Perhaps I’ve missed some obvious reason why the industry still does this._

It's called double opt-in. It proves you're giving consent to be a member.

------
slewis
Apple id seems to implement the proposed solution. They send a verification
email but you don't actually have to click the link, you can just ignore it
and your account works.

This can turn out bad though. I thought I had an apple-id when buying
something on the apple site recently. But my standard passwords didn't work so
I reset the password (via an email sent to me personal email address from the
password reset sequence). When I logged in I found that my email address was
actually registered to someone else, and I had their name, full address, phone
number and credit card number but with the first 12 digits X'd out.

The person has a similar name to mine, and my email address is my initials and
last name, so I believe they just made a typo in the email address when they
signed up. But it seems pretty bad that you can do that without verification
when doing so can give someone your personal information.

A motivated scammer could register a bunch of typoed email addresses and try
resetting apple-id passwords. Then you have a 1 in 333 chance of buying stuff
with their credit card because you have to guess the security code (I'm
guessing you get 3 chances but you might get more).

------
birken
Strongly disagree. All of the identity issues aside, ensuring deliverability
is another key issue. Some email providers can be very aggressive when it
comes to marking emails from new services as spam. Getting a user to pick a
confirmation email out of their spam folder and click "Not Spam" is the most
important action that user can do as part of the signup process, otherwise you
will never reach that person's inbox again.

~~~
sixtofour
Yes, and besides aggressive spam filtering, it's just a good way to confirm a
usable communication channel before you need to use that channel.

------
jdburdette
"When I’m checking my email, the last thing I want to do is context switch
back to the app."

Because it's really that hard to Ctrl+click a link in an email, archive it,
and move on to the next email?

------
Blend
In short, we can summarize the reasons why e-mail confirmation is necessary:

1\. It's required by law in many places. That's why newsletter/auto-responder
services use double opt-in.

2\. If someone or something does sign-up on your behalf, why should you have
to specifically opt out? So, it's always better to have someone confirm their
e-mail, instead of having random users having to "opt out" of services they
never signed up for.

3\. Many a times, if it's some random site, the activation e-mail can go
directly into your SPAM box. If an "opt out" type e-mail ends up in your SPAM
box, then you probably won't see it, and it can potentially cause more damage.

4\. For features like password reminder, it is always better, security-wise,
to send the reset link to an e-mail you know for sure belongs to the account
holder. If you mistyped your e-mail, and never received the conformation,
you'd try creating an account again. However, if the account was activated by
default, and you started using it right away, then you'd have all your e-mails
going to someone else.

There might be more reasons...

I don't see how e-mail confirmation can be counted as "wasted seconds." It is
to protect you. It's like taking a backup of your website. Many of them don't
do it, because the few minutes it takes doesn't sound worthwhile. However, if
the server crashes and your data is lost, only then you realize that those few
minutes could have saved months of efforts.

------
ScottWhigham
For all of you folks who say that confirmation emails are a bad idea, let's
talk about a service in which the user can download large files once they are
"confirmed". I'm thinking of a site like <http://www.shutterstock.com/>. They
offer two free downloads per week and those files can be up to 30MB each.

Let's say that Shutterstock wanted to expand - they want to allow new users to
download ANY two images they wanted for free.

Would you advise them to go with a confirmation-less email routine? If so, how
do you prevent bots from creating bogus signups and then (a) stealing your
images at will, (b) so that they can resell/rehost them in Russia/China and
make money/compete with you, and (c) clogging up all of your bandwidth?

For example, the bot signs up with 00001@gmail.com then downloads 60MB files
while another bot uses 0002@gmail.com then downloading 60MB in files, etc.

And please - no solutions that require manual intervention or cannot scale.

~~~
threedaymonk
Confirmation won't help here. In your hypothetical example, I set up a mail
server at bulkdownloadrobot.biz and get my bot to use 00001@, 00002@ etc. The
bot follows the confirmation links before downloading 60MB for each account.

Now, you might detect that bulkdownloadrobot.biz is a bad domain and blacklist
it, but all I have to do is to register a new domain each time that happens.

So now you implement a heuristic that detects patterns of signups from
domains. Now, I start buying Gmail accounts created by workers in a CAPTCHA-
solving sweatshop.

You've increased my costs slightly, but you haven't solved the problem.

------
prknight
They can't be avoided in most cases. Among a host of other reasons, there are
the opt-in laws in the US & EU <http://www.lsoft.com/resources/optinlaws.asp>

------
drdaeman
> In the edge case, where some unauthorized person has signed up using my
> email, then include some directions at the bottom of the email that instruct
> me how to deal with the abuse.

The same tactic (along with 1x1px images etc) was already used by spammers to
determine "alive" addresses, whose owners do read spam and do click on
provided links.

That's the reason I'd be very annoyed if I'll get such email.

------
yaix
>> Perhaps I’ve missed some obvious reason why the industry still does this.

You have indeed. It is called "double opt-in" and legally required in many
jurisdictions, before a web site can send you regular automated emails.
Otherwise it might be considered Spam.

------
varjag
Let assume someone signs you up for a dating site, creating your fake profile
there. And uses some of your less frequent used email addresses, which you
might be checking just a few times per year. Are you comfortable with scenario
like that?

------
josephb
I'd much prefer sites to have the confirmation requirement.

Personally with a fairly generic gmail address I see way too many random un-
asked for messages with no opt-in confirmation.

And 10 lines of Perl? Lousy coder :P

------
njharman
A site needs to know email is valid before allowing it to be used to log in.
In OP's world malicious attacker can do whatever between time they register
and time (if ever) email's owner clicks the "wtf, not me" link.

------
benjoffe
So the overwhelming attitude here is that the advice in the link is bad, so
why does it still have 32 points and waste my time by being on the front page?
Please down vote articles like this.

~~~
ErikD
It probably has that many points because there are some interesting
discussions going on in the comments.

------
EGreg
We have a better way of signing up on qbix.com

Try it :) The email is used to set up your password, but you are able to use
the app the first time without it! That way you will likely visit the app
again when you check your email.

~~~
prknight
Doesn't that make it even easier for malicious users/bots to cause problems?
How does qbix.com strategise against that?

