
Ask HN: Are you requiring email verification during signup for your service? - throwawaygeorge
I’m a consultant&#x2F;freelance developer, and a few large companies I do consulting for have recently switched to not requiring their users to verify their emails upon signing up for an account on their apps.<p>This has at least 2 issues that seem very problematic:<p>1. Since many companies use their “user base” as a means to calculate growth, not requiring email verification makes it much easier to fake this number.<p>2. Easily being able to cause spam for an email address that does not belong to the person who is signing up.<p>3. Advanced phishing methods<p>What have been your experiences around this?
======
jjeaff
I started out requiring email verification. My userbase is a bit older and
less tech savvy than your average saas. It was a nightmare.

People frequently type their email wrong, put @gmail when it's a Yahoo
address, misspell their own name, forget that their are numbers on the end...

AOL and MSN addresses are nigh impossible to get a message through to.
Messages don't even get marked as spam. They are silently discarded. (I use
mailinator and my IP is clean). (With extreme accuracy, an aol or MSN email
address indicates to us that the customer will require handholding to get
started.)

People just don't understand or can't follow directions. Checking their email
is too hard because they can't remember their password or it's only logged in
on their computer at home.

On a separate note, you wouldn't believe how many people have an expensive
iPhone and have literally never downloaded a single app. We did a conference
where we helped people sign up and install our app. So many people had never
had to enter their iCloud password for the app store since initially creating
their account.

So I think it really depends on your target market. If you are targeting
developers, then a good email verification system will cause almost no
friction. If you are targeting an older crowd, good luck.

~~~
deepakhj
I think this boils down to, can your parents use it? My dad forgot his App
Store credentials and never download an app. I couldn’t believe it!

------
rajvosa07
You shouldn't do this UNTIL you need to.

You NEED to before allowing any operations that rely on this information being
accurate. Let's say you are allowing users to chat with each other, or share
information. In that case it is super helpful to verify the initiating user's
email as proof of identity, so I can't just enter your email and phish
someone...

~~~
jrprince
I would agree with this assessment, but also add confirmation before you were
ever to dispatch any email sent to the address.

I work for an ISP/services company and we require confirmation for everything.

Personally though, I abhor companies that allow account creation without
confirmation. I have a gmail address that is my id, minus the first r in it.
Over the years, I've received oil change notifications from people's cars,
trip/hotel/dinner reservations with click-through ability to alter without
supplying anything, rental agreements, billing, dating profiles, etc. that I
have total control over because people are idiots. There has to be some kind
of railing in place to keep lemming from leaping off the precipice.

------
raresp
If you don't ask for email validation and you don't implement an API rate
limiting many hackers can create a script that will fill your database with
random generated users and you won't understand what happened.

This is a simple example that demonstrates why you should and must implement
email verification.

More.. you should block the account when a user enters wrong password 5 times
during a 2 minutes period for example (you can adjust these numbers). This is
also a good security measurement.

Even more.. you shouldn't fake business numbers. Customers and investors will
lose their trust in you.

~~~
niko001
That doesn't make sense. Even a non-verified user lives as a row in your
database. Sure, you can delete them if they haven't verified their address
after 24 hours, but that doesn't mitigate the problem of filling your database
before that.

~~~
raresp
Are you following the Silicon Valley TV series? In the first episode of the
last season they use a botnet network to hack a pizza application, they create
a lot of users and generate thousands of orders. They manage to put the pizza
company in bankruptcy.

That's just a TV show, but the example is so good.

------
lm2s
We started by requiring email confirmation before allowing sign in but
recently removed that requirement.

The initial friction and problems that arose from either the person not
remembering its email access or not checking the spam or the email simply
being dropped (hotmail inc) made us take that decision. For us the email is
not very important, since we have other channels for communication with the
user.

We will be adding an “annoying” banner reminding the user to confirm the email
but the app/system is fully functional without it.

------
cprk83
Especially for brand-new products looking to make an initial impression, it's
wise to allow signups without verification until your product gains some
traction.

However, for the large companies you mentioned working for, I can't see any
good reason to forego email verification.

------
k1ns
I am not currently. I saw it as a pain when you're already signing up for a
paid SaaS. I looked back at similarly structured products that I've used in
the past (B2B SaaS) and couldn't think of one that had me confirm my email so
I did the same.

------
Clubber
I personally do not require email validation to do anything. I want to reduce
the amount of friction for a user to start using the product as much as
possible.

If it's a product that requires an email for some reason, that might be a
different story.

------
Huhty
We did at first, but then removed it after realizing it was just another
obstacle in the way that doesn't really do anything to remove spam or anything
since anyone can make a new email account in mere seconds.

~~~
konschubert
I think the spam concern is in the other direction:

If I sign you up with your email for a service that does not require
verification. This is not only a problem for you, but also for the business if
you click on the spam button.

------
video-host
I have two things in place:

    
    
      - recaptcha to avoid people creating spam accounts
      - email validation with a grace period of 3 days. 
    

This is a good balance so far.

