To those of you that work on websites that require users to click a link in an e-mail to validate their accounts: what percentage of users complete the activation process?
We don't do that. It just another barrier to entry. Hopefully you do it because it's necessary for the product and not because you want to have a validated e-mail.
Consider someone signing up with my email address: foo@bar.com. Now I'm not going to be able to use that email address, because it is already taken. Worse, if messages to that account, such as invitations, the attacker can accept them, since they typically see the invitations on the site in addition to it being sent to the email address.
As the legit user, I might see the invites, but won't be able to log in at all. Worse things can happen: once the attacker signs up, they could make this email address secondary and add another, primary address so that they see all of the messages.
Well, you could do an opt-out service -- send an e-mail that says "click here if this isn't you"
Or use something a simple screenname for authentication (e.g. the e-mail is just for lost passwords, so if they don't provide a valid e-mail, it's their loss).
Or use something like OpenID or Passport (the identity provider might need to validate an e-mail address but you don't have to).
Or build a site that needs no authentication to begin with -- e.g. a search engine.
I don't have an answer (since my site isn't active yet) but I have another question: what percentage of users that don't validate their accounts actually entered their personal email address?
confirmed emails: 28800
total unique people as determined by cookies/ip addresses: 28900
System lets people use the site for 10 minutes after they sign in before they are forced to confirm their email if they have not done so already.