I think the title is a little misleading. They still require users to confirm their email, although they postpone that. From the title it sounds like they have a revolutionary solution to avoid this altogether, which they don't.
Besides the title, this might work for their specific case, but I don't see it working in general. From my experience, lots of emails are fake. Either gibberish, or not the user's. You need an actual email to send communications and somewhat reduce spam and abuse. Postponing confirmation doesn't help with that.
The author fails to even mention the actual solution to avoiding email confirmation and reducing onboarding steps: social login.
With social login, users start using the app immediately, and site owners have a validated email (and optionally a lot more). If your app is targeted to developers, use GitHub login. Otherwise Facebook, Google, Twitter or similar, and you'll have a 90% coverage. Some people are paranoid about giving access (although IMO is safer), so also support signing up via email, but at that point it would be the "user's fault" if extra steps are required.
I'm the author of the article. I agree that looking at the title today, it is misleading. I wrote that as a case study of an experiment we did at Visible. I think it is important to keep that in mind, I do not pretend it is THE flow to use or that it makes sense for other websites. We were trying different things to reduce the friction when onboarding users.
I agree with social login, except that I personally traded the convenience for privacy. Most website grab way too much data and as a result I rarely use social login. And in the realm of enterprise Sass I think it is a fair concern to have; Security is taken more seriously. That said, it doesn't mean that we could have implemented social logins without grabbing unnecessary data!
You can choose what to do with the data. I assume you trust yourself to save only what you need (even just the social network ID if you really want to?)
> Security is taken more seriously
I trust Facebook to keep my password safe more than a random website I know little or nothing about (not yours, any website), if anything because Facebook has 100 times more resources than most other services. Also, most people use the same password for everything, the less places it's stored, the better.
>With social login, users start using the app immediately
Given that 99% of the time sites implement social logins as "let's automatically fill out your username and email address in the sign up form", that's far from true.
Please add a "i did not sign up for this account" link to disavow account to email links.
There is someone who keeps using my email thinking its theirs. I am tired of constant reminders to verify my email from noreply addresses, with no way to turn it off.
same here, on a daily basis. worse when my email is supplied by someone else to a party that does not confirm AND there is no way to unsubscribe (such as Best Buy's geek squad's email). my gmail delete filter list is 50+ items now.
It's apparently to do with the EU General Data Protection Regulation (https://en.wikipedia.org/wiki/General_Data_Protection_Regula...) due to come into force in May 2018. I'd imagine this is specifically linked to the requirement for data-controllers to be able to prove consent.
Just one thing... why not do everything as you suggest except send the Welcome/confirmation email straight away so they have a record and a link to confirm and set a password.
I think all users are now used to email confirmation. With mobile and notifications its much easier to just click them once.
Ill be more irritated if it prompts me to go in my mailbox when I'm in middle of something. I'll be like- 'you fool why didn't you do this during signup itself.'
Think in terms of modes. Right now Im in signup mode. Then Im in 'Do work' mode. Dont make me go from 'Do work' mode to 'signup admin stuff' mode again.
Also now I expect each site to have option for google/facebook logins. The only reason I still have my facebook account active is that it makes one click login on most sites easier.
My email address is `first.l@gmail.com`, with my first name (common) and last initial. I receive a lot of erroneous signup emails. There's nothing wrong with sending a single email, so my usual course of action is to delete them. However, I expect sites to send no more than a single email to unverified addresses. If I receive subsequent messages from the same site, I mark them as spam. Gmail usually takes care of unsubscribing for me.
Slightly OT, but: would you pay for a "mail confirmation as a Service"? I'm building such product, but I don't know if it makes sense, or how to market it.
Unsubscribe as a service maybe - something that knows if an email's unsub link is legit or if the mail should just be spammed
I sign up for an absolute shed-load of products and services I can't say I've ever wished the mail confirmation part could be automated. Every damn time I wish there was a way to easily unsubscribe from their mail list though.
So is resetting an account that used a wrong email a CFAA violation? Seems like it can be.
I think the better option if you aren't going to verify ownership of email addresses is to have a clear and simple way to detach an address from an account (if this makes the account useless, delete the account entirely).
I say this having been on the wrong side of trying to remove my address from all sorts of services.
You do not need email confirmation in your sign up flow... but you will email confirmation eventually, as the article says.
However, you may never need a password. Users can log in on other devices using another email confirmation link, or using log in with Google, GitHub, etc.
what if elon signs up as elon@spacex.com. he then fills out a personal details form, which includes a phone number. if a 2nd user comes around and enters the same unconfirmed email within 48hrs he'd get to see those personal details.
this surely only works in very specific situations...
Besides the title, this might work for their specific case, but I don't see it working in general. From my experience, lots of emails are fake. Either gibberish, or not the user's. You need an actual email to send communications and somewhat reduce spam and abuse. Postponing confirmation doesn't help with that.
The author fails to even mention the actual solution to avoiding email confirmation and reducing onboarding steps: social login.
With social login, users start using the app immediately, and site owners have a validated email (and optionally a lot more). If your app is targeted to developers, use GitHub login. Otherwise Facebook, Google, Twitter or similar, and you'll have a 90% coverage. Some people are paranoid about giving access (although IMO is safer), so also support signing up via email, but at that point it would be the "user's fault" if extra steps are required.