Ask HN: Are you requiring email verification during signup for your service?
I’m a consultant/freelance developer, and a few large companies I do consulting for have recently switched to not requiring their users to verify their emails upon signing up for an account on their apps.
This has at least 2 issues that seem very problematic:
1. Since many companies use their “user base” as a means to calculate growth, not requiring email verification makes it much easier to fake this number.
2. Easily being able to cause spam for an email address that does not belong to the person who is signing up.
3. Advanced phishing methods
What have been your experiences around this?
16 comments
[ 7.2 ms ] story [ 436 ms ] threadIf it's a product that requires an email for some reason, that might be a different story.
If I sign you up with your email for a service that does not require verification. This is not only a problem for you, but also for the business if you click on the spam button.
You NEED to before allowing any operations that rely on this information being accurate. Let's say you are allowing users to chat with each other, or share information. In that case it is super helpful to verify the initiating user's email as proof of identity, so I can't just enter your email and phish someone...
If the first user created the record, but the second one legitimately owns it, then the second user will not be able to use their email address - that doesn't seem right to me
I work for an ISP/services company and we require confirmation for everything.
Personally though, I abhor companies that allow account creation without confirmation. I have a gmail address that is my id, minus the first r in it. Over the years, I've received oil change notifications from people's cars, trip/hotel/dinner reservations with click-through ability to alter without supplying anything, rental agreements, billing, dating profiles, etc. that I have total control over because people are idiots. There has to be some kind of railing in place to keep lemming from leaping off the precipice.
People frequently type their email wrong, put @gmail when it's a Yahoo address, misspell their own name, forget that their are numbers on the end...
AOL and MSN addresses are nigh impossible to get a message through to. Messages don't even get marked as spam. They are silently discarded. (I use mailinator and my IP is clean). (With extreme accuracy, an aol or MSN email address indicates to us that the customer will require handholding to get started.)
People just don't understand or can't follow directions. Checking their email is too hard because they can't remember their password or it's only logged in on their computer at home.
On a separate note, you wouldn't believe how many people have an expensive iPhone and have literally never downloaded a single app. We did a conference where we helped people sign up and install our app. So many people had never had to enter their iCloud password for the app store since initially creating their account.
So I think it really depends on your target market. If you are targeting developers, then a good email verification system will cause almost no friction. If you are targeting an older crowd, good luck.
The initial friction and problems that arose from either the person not remembering its email access or not checking the spam or the email simply being dropped (hotmail inc) made us take that decision. For us the email is not very important, since we have other channels for communication with the user.
We will be adding an “annoying” banner reminding the user to confirm the email but the app/system is fully functional without it.
This is a simple example that demonstrates why you should and must implement email verification.
More.. you should block the account when a user enters wrong password 5 times during a 2 minutes period for example (you can adjust these numbers). This is also a good security measurement.
Even more.. you shouldn't fake business numbers. Customers and investors will lose their trust in you.
That's just a TV show, but the example is so good.
However, for the large companies you mentioned working for, I can't see any good reason to forego email verification.