Ask HN: Are you requiring email verification during signup for your service?

27 points by throwawaygeorge ↗ HN
I’m a consultant/freelance developer, and a few large companies I do consulting for have recently switched to not requiring their users to verify their emails upon signing up for an account on their apps.

This has at least 2 issues that seem very problematic:

1. Since many companies use their “user base” as a means to calculate growth, not requiring email verification makes it much easier to fake this number.

2. Easily being able to cause spam for an email address that does not belong to the person who is signing up.

3. Advanced phishing methods

What have been your experiences around this?

16 comments

[ 7.2 ms ] story [ 436 ms ] thread
I personally do not require email validation to do anything. I want to reduce the amount of friction for a user to start using the product as much as possible.

If it's a product that requires an email for some reason, that might be a different story.

We did at first, but then removed it after realizing it was just another obstacle in the way that doesn't really do anything to remove spam or anything since anyone can make a new email account in mere seconds.
I think the spam concern is in the other direction:

If I sign you up with your email for a service that does not require verification. This is not only a problem for you, but also for the business if you click on the spam button.

I am not currently. I saw it as a pain when you're already signing up for a paid SaaS. I looked back at similarly structured products that I've used in the past (B2B SaaS) and couldn't think of one that had me confirm my email so I did the same.
You shouldn't do this UNTIL you need to.

You NEED to before allowing any operations that rely on this information being accurate. Let's say you are allowing users to chat with each other, or share information. In that case it is super helpful to verify the initiating user's email as proof of identity, so I can't just enter your email and phish someone...

How do you handle duplicate, non-verifiers email? Would you create two non-verified records?

If the first user created the record, but the second one legitimately owns it, then the second user will not be able to use their email address - that doesn't seem right to me

I would agree with this assessment, but also add confirmation before you were ever to dispatch any email sent to the address.

I work for an ISP/services company and we require confirmation for everything.

Personally though, I abhor companies that allow account creation without confirmation. I have a gmail address that is my id, minus the first r in it. Over the years, I've received oil change notifications from people's cars, trip/hotel/dinner reservations with click-through ability to alter without supplying anything, rental agreements, billing, dating profiles, etc. that I have total control over because people are idiots. There has to be some kind of railing in place to keep lemming from leaping off the precipice.

I started out requiring email verification. My userbase is a bit older and less tech savvy than your average saas. It was a nightmare.

People frequently type their email wrong, put @gmail when it's a Yahoo address, misspell their own name, forget that their are numbers on the end...

AOL and MSN addresses are nigh impossible to get a message through to. Messages don't even get marked as spam. They are silently discarded. (I use mailinator and my IP is clean). (With extreme accuracy, an aol or MSN email address indicates to us that the customer will require handholding to get started.)

People just don't understand or can't follow directions. Checking their email is too hard because they can't remember their password or it's only logged in on their computer at home.

On a separate note, you wouldn't believe how many people have an expensive iPhone and have literally never downloaded a single app. We did a conference where we helped people sign up and install our app. So many people had never had to enter their iCloud password for the app store since initially creating their account.

So I think it really depends on your target market. If you are targeting developers, then a good email verification system will cause almost no friction. If you are targeting an older crowd, good luck.

I think this boils down to, can your parents use it? My dad forgot his App Store credentials and never download an app. I couldn’t believe it!
We started by requiring email confirmation before allowing sign in but recently removed that requirement.

The initial friction and problems that arose from either the person not remembering its email access or not checking the spam or the email simply being dropped (hotmail inc) made us take that decision. For us the email is not very important, since we have other channels for communication with the user.

We will be adding an “annoying” banner reminding the user to confirm the email but the app/system is fully functional without it.

If you don't ask for email validation and you don't implement an API rate limiting many hackers can create a script that will fill your database with random generated users and you won't understand what happened.

This is a simple example that demonstrates why you should and must implement email verification.

More.. you should block the account when a user enters wrong password 5 times during a 2 minutes period for example (you can adjust these numbers). This is also a good security measurement.

Even more.. you shouldn't fake business numbers. Customers and investors will lose their trust in you.

That doesn't make sense. Even a non-verified user lives as a row in your database. Sure, you can delete them if they haven't verified their address after 24 hours, but that doesn't mitigate the problem of filling your database before that.
Are you following the Silicon Valley TV series? In the first episode of the last season they use a botnet network to hack a pizza application, they create a lot of users and generate thousands of orders. They manage to put the pizza company in bankruptcy.

That's just a TV show, but the example is so good.

I have two things in place:

  - recaptcha to avoid people creating spam accounts
  - email validation with a grace period of 3 days. 
This is a good balance so far.
Especially for brand-new products looking to make an initial impression, it's wise to allow signups without verification until your product gains some traction.

However, for the large companies you mentioned working for, I can't see any good reason to forego email verification.

(comment deleted)