Perhaps I’ve missed some obvious reason why the industry still does this.
Because if you get a random email from some site you've never signed up for, there are two possible scenarios that you cannot distinguish between:
1) Somebody has maliciously signed you up to a legitimate site.
2) A malicious site is trying to get you to click a random link.
This proposal suffers from a common flaw, in which people assume they can change just one thing and have everything else in the world stay the same. Systems don't work like that.
The author addresses the first issue in the paragraph preceding the one you quoted.
As it currently stands, most 'confirmation e-mails' I get also provide an 'if this isn't you' section. All the author is arguing is that we can do away with the confirmation part and keep the 'if this isn't you' part for those edge cases where a person's email address has been used by someone other than said person.
That's already the case, isn't it? All emails contain the "if this isn't you part", so the case of the person who didn't request the email is unchanged.
Compounding this problem, conventional security wisdom is that you should never acknowledge unsolicited email, because the spammer might be using a fake unsubscribe link to confirm your email address is real. So a system that requires manual unsubscription this way will actually punish accidentally subscribed users for following good protocol.
Furthermore, if the "confirmation" email winds up in a spam filter and the user never sees it, subsequent emails will still go out and probably be auto-marked as spam.
This article misses a key point. If you want to confirm that the person who opted into your service is who they say they are. Otherwise, you're looking forward to abuse complaints from email recipients, and it only takes a few of those to suspend your Mailchimp (or whatever delivery service) account. You can also add non-compliance with spam, privacy and other laws to the list of fun things that could happen if you take this article's advice.
"In the edge case, where some unauthorized person has signed up using my email, then include some directions at the bottom of the email that instruct me how to deal with the abuse. And an extra benefit: If I have a good experience with your site reporting the abuse, I’ll be more interested to legitimately check out the site."
I'm not sure if I just don't understand what both of you are saying, but it seems he addressed this point towards the end of the post. I can't see how his solution ('click here if this isn't you') is any different than 'click here to confirm this is you' as far as potential abuse is concerned.
Because if you're the innocent target of a malicious sign-up then you shouldn't have to take any further action - particularly action that could expose you to further harm, such as clicking on a link randomly emailed to you from some site you've never heard of - to avoid having your email address associated with the account.
Edit: You also shouldn't have to be watching your email like a hawk 24/7 just in case somebody signs you up for something, so that you can stop them from impersonating you before they do any damage.
In short, it's the difference between opt-in and opt-out. Identity theft should almost never be opt-out.
More than that - a number of services (for example B2B SaaS) depend on knowing the email identity of their user. Are you John Jones <john.jones@goldmansachs.com>? Of course you are, you signed up with that email address and the system accepted you.
If a system like, say, Woobius, doesn't confirm emails, people will abuse this lack of feature.
Such a "not me" link only prevents abuse if the person receiving that email checks their email the instant it's sent and clicks the "not me" link instantly as well. Otherwise, someone could sign up for a site using a random person's email address and then do something malicious depending on the site/service... send emails/messages, post nasty forum messages, etc.
Granted, not all sites/services can be used for such maliciousness, but in those cases that the site can be used maliciously, a "not me" link is a corrective measure and not preventative measure.
If I get a strange Email I am going to assume it is spam, which means I report it as such and whomever send it will have trouble sending email to gmail users in the future.
Try it :)
The email is used to set up your password, but you are able to use the app the first time without it! That way you will likely visit the app again when you check your email.
I'm more annoyed by having to pick a (unique) username. My name is too long and too common, all of the nice short versions are always already gone and why the hell am I so often not allowed to separate my first and (abbreviated) last name with a dot? Use my email address as the unique identifier and let me enter my first and last name or a nickname (which doesn't have to be unique), please.
Don't make me think. You should never ever have to show me the "This name is already in use." message. Your design shouldn't even need it. Not everyone has or would like to have an (as unique as possible) nickname on the web they would like to use.
(Unique) usernames are the one vestige of the old web I would like to get rid of post haste. Call me Michael. (I still positively remember signing up to Facebook because I didn't have to pick a username.)
the easy solution to this is your email as a username/login. that way it's guaranteed unique. the only problem is multiple john smiths confusing people
Email addresses may be unique at one point of time, but assuming that they are unique identifiers for people is problematic because they can legitimately change hands. For instance, my work email address is <firstname>@<company>. I'm not the first <firstname> at <company> - the other one left before I joined, but two months after I took over the email address I'm still clearing up the accounts with services that made an identity assumption over email addresses.
Similarly, I'm still getting e-mails for [username]@[isp] because the username I chose has been used by several prior users, and just happened to be free at the moment I signed up.
Are you suggesting sites should allow duplicate usernames and allow you to log in with that username and one of the correct passwords associated with it?
The article assumes that people are happy to click on a link within an email from an unrecognised source, in order to cancel a fake member account. This rings all sorts of alarm bells, I would never do that.
If I got an email like that, I would click the spam button and the server would probably face regular spam blacklist issues from big providers.
This. Silence is not consent, and if you start mailing me regularly because I did not browse to some URL telling you not to, you are a spammer and I will treat you as such.
"When I’m checking my email, the last thing I want to do is context switch back to the app."
Umm you are signing up for a service, when you click the "register" button, you are usually presented with a message "check your email for a confirmation link" so you go do that. Where is context switching here?
Most of the users don't signup for something and then forget about it until they, by accident, stumble upon the email when they check their inbox the next time. Or am I wrong?
I agree. When I sign up for a service the confirmation email is generally already in my inbox by the time I switch tabs to gmail. Then the confirmation link takes me back to the site and logs me in, no hard work involved.
Also, I've never registered for a service and decided not to immediately check my email to activate my account when I'm prompted to. I can't recall a single time when I've come across a confirmation link while casually checking my email.
I think your experience is the ideal, however I see sometimes 1-2 days before I've gotten the confirmation emails. Probably once every few months I'll sign up for something that offers a confirmation email and then - nothing happens for 5, 10, 30, 45 minutes. Frustrating.
Strongly disagree. All of the identity issues aside, ensuring deliverability is another key issue. Some email providers can be very aggressive when it comes to marking emails from new services as spam. Getting a user to pick a confirmation email out of their spam folder and click "Not Spam" is the most important action that user can do as part of the signup process, otherwise you will never reach that person's inbox again.
A site needs to know email is valid before allowing it to be used to log in. In OP's world malicious attacker can do whatever between time they register and time (if ever) email's owner clicks the "wtf, not me" link.
I just want to attach an anecdote here and explain why I prefer confirmation emails.
One day, somewhere in the last couple months, I checked my email box and saw a message from some craft site. It was informing me that my paid subscription was activated and that I was entitled to X, Y, and Z services. I ignored it. I received another related email the next day. I ignored that, too. When I received a third with another advertisement, I realized this was legitimate and that someone had accidentally used my email address! My inclination was to find someone in control of the site and let them know the mistake so that the original person could see their offers and track their subscription. I headed to the website and noticed the login form on the first page.
Curiosity struck me. Was this one of those sites that people make fun of online with bad security? I clicked the link saying I forgot my password. They asked not for my username but for my email address. So I entered that. Next thing I know, my Inbox has an email from the craft site with the registered user's plaintext password!
Uh oh. Is this for real? What if I was a malicious user? I had to see how bad this situation really was. I logged into the user's account. I was able to find their home address and phone number, but thankfully (dear Lord, thankfully), the website made no mention of credit card numbers. I did not look to see if I could order more service; at that point and in my shock over the situation, I felt I was deep into some weird grey area and was way past my welcome. I logged out, found an online contact form, and explained the situation as well as how they could improve their system to avoid harm to their users.
The security mistakes in this situation were compounded.
(1) Email alerts went to the wrong person. If you verify the email, the right people get the messages. If you do not verify the email, the wrong person can mark your site as spam or take advantage of the situation.
(2) The site stored plaintext passwords. This was a craft site... By the name of the victim and other factors, I realized that this was some old lady who has faith in the trustworthiness of the Internet and probably, like most typical people, uses the same password for multiple sites. And this site happily handed it over to a stranger. That, my friends, is scary.
People make honest mistakes. If the email address is important for account management, send a verification email. And give the user an opportunity to fix the problem in the event that that verification fails in some way.
So the overwhelming attitude here is that the advice in the link is bad, so why does it still have 32 points and waste my time by being on the front page? Please down vote articles like this.
Apple id seems to implement the proposed solution. They send a verification email but you don't actually have to click the link, you can just ignore it and your account works.
This can turn out bad though. I thought I had an apple-id when buying something on the apple site recently. But my standard passwords didn't work so I reset the password (via an email sent to me personal email address from the password reset sequence). When I logged in I found that my email address was actually registered to someone else, and I had their name, full address, phone number and credit card number but with the first 12 digits X'd out.
The person has a similar name to mine, and my email address is my initials and last name, so I believe they just made a typo in the email address when they signed up. But it seems pretty bad that you can do that without verification when doing so can give someone your personal information.
A motivated scammer could register a bunch of typoed email addresses and try resetting apple-id passwords. Then you have a 1 in 333 chance of buying stuff with their credit card because you have to guess the security code (I'm guessing you get 3 chances but you might get more).
>> Perhaps I’ve missed some obvious reason why the industry still does this.
You have indeed. It is called "double opt-in" and legally required in many jurisdictions, before a web site can send you regular automated emails. Otherwise it might be considered Spam.
In short, we can summarize the reasons why e-mail confirmation is necessary:
1. It's required by law in many places. That's why newsletter/auto-responder services use double opt-in.
2. If someone or something does sign-up on your behalf, why should you have to specifically opt out? So, it's always better to have someone confirm their e-mail, instead of having random users having to "opt out" of services they never signed up for.
3. Many a times, if it's some random site, the activation e-mail can go directly into your SPAM box. If an "opt out" type e-mail ends up in your SPAM box, then you probably won't see it, and it can potentially cause more damage.
4. For features like password reminder, it is always better, security-wise, to send the reset link to an e-mail you know for sure belongs to the account holder. If you mistyped your e-mail, and never received the conformation, you'd try creating an account again. However, if the account was activated by default, and you started using it right away, then you'd have all your e-mails going to someone else.
There might be more reasons...
I don't see how e-mail confirmation can be counted as "wasted seconds." It is to protect you. It's like taking a backup of your website. Many of them don't do it, because the few minutes it takes doesn't sound worthwhile. However, if the server crashes and your data is lost, only then you realize that those few minutes could have saved months of efforts.
> In the edge case, where some unauthorized person has signed up using my email, then include some directions at the bottom of the email that instruct me how to deal with the abuse.
The same tactic (along with 1x1px images etc) was already used by spammers to determine "alive" addresses, whose owners do read spam and do click on provided links.
That's the reason I'd be very annoyed if I'll get such email.
Let assume someone signs you up for a dating site, creating your fake profile there. And uses some of your less frequent used email addresses, which you might be checking just a few times per year. Are you comfortable with scenario like that?
For all of you folks who say that confirmation emails are a bad idea, let's talk about a service in which the user can download large files once they are "confirmed". I'm thinking of a site like http://www.shutterstock.com/. They offer two free downloads per week and those files can be up to 30MB each.
Let's say that Shutterstock wanted to expand - they want to allow new users to download ANY two images they wanted for free.
Would you advise them to go with a confirmation-less email routine? If so, how do you prevent bots from creating bogus signups and then (a) stealing your images at will, (b) so that they can resell/rehost them in Russia/China and make money/compete with you, and (c) clogging up all of your bandwidth?
For example, the bot signs up with 00001@gmail.com then downloads 60MB files while another bot uses 0002@gmail.com then downloading 60MB in files, etc.
And please - no solutions that require manual intervention or cannot scale.
Confirmation won't help here. In your hypothetical example, I set up a mail server at bulkdownloadrobot.biz and get my bot to use 00001@, 00002@ etc. The bot follows the confirmation links before downloading 60MB for each account.
Now, you might detect that bulkdownloadrobot.biz is a bad domain and blacklist it, but all I have to do is to register a new domain each time that happens.
So now you implement a heuristic that detects patterns of signups from domains. Now, I start buying Gmail accounts created by workers in a CAPTCHA-solving sweatshop.
You've increased my costs slightly, but you haven't solved the problem.
49 comments
[ 3.2 ms ] story [ 114 ms ] threadBecause if you get a random email from some site you've never signed up for, there are two possible scenarios that you cannot distinguish between:
1) Somebody has maliciously signed you up to a legitimate site. 2) A malicious site is trying to get you to click a random link.
This proposal suffers from a common flaw, in which people assume they can change just one thing and have everything else in the world stay the same. Systems don't work like that.
As it currently stands, most 'confirmation e-mails' I get also provide an 'if this isn't you' section. All the author is arguing is that we can do away with the confirmation part and keep the 'if this isn't you' part for those edge cases where a person's email address has been used by someone other than said person.
Furthermore, if the "confirmation" email winds up in a spam filter and the user never sees it, subsequent emails will still go out and probably be auto-marked as spam.
I'm not sure if I just don't understand what both of you are saying, but it seems he addressed this point towards the end of the post. I can't see how his solution ('click here if this isn't you') is any different than 'click here to confirm this is you' as far as potential abuse is concerned.
Edit: You also shouldn't have to be watching your email like a hawk 24/7 just in case somebody signs you up for something, so that you can stop them from impersonating you before they do any damage.
In short, it's the difference between opt-in and opt-out. Identity theft should almost never be opt-out.
If a system like, say, Woobius, doesn't confirm emails, people will abuse this lack of feature.
Granted, not all sites/services can be used for such maliciousness, but in those cases that the site can be used maliciously, a "not me" link is a corrective measure and not preventative measure.
Edit: zb put it more eloquently than I did.
Try it :) The email is used to set up your password, but you are able to use the app the first time without it! That way you will likely visit the app again when you check your email.
Don't make me think. You should never ever have to show me the "This name is already in use." message. Your design shouldn't even need it. Not everyone has or would like to have an (as unique as possible) nickname on the web they would like to use.
(Unique) usernames are the one vestige of the old web I would like to get rid of post haste. Call me Michael. (I still positively remember signing up to Facebook because I didn't have to pick a username.)
Because it's really that hard to Ctrl+click a link in an email, archive it, and move on to the next email?
If I got an email like that, I would click the spam button and the server would probably face regular spam blacklist issues from big providers.
Umm you are signing up for a service, when you click the "register" button, you are usually presented with a message "check your email for a confirmation link" so you go do that. Where is context switching here?
Most of the users don't signup for something and then forget about it until they, by accident, stumble upon the email when they check their inbox the next time. Or am I wrong?
Also, I've never registered for a service and decided not to immediately check my email to activate my account when I'm prompted to. I can't recall a single time when I've come across a confirmation link while casually checking my email.
It's called double opt-in. It proves you're giving consent to be a member.
One day, somewhere in the last couple months, I checked my email box and saw a message from some craft site. It was informing me that my paid subscription was activated and that I was entitled to X, Y, and Z services. I ignored it. I received another related email the next day. I ignored that, too. When I received a third with another advertisement, I realized this was legitimate and that someone had accidentally used my email address! My inclination was to find someone in control of the site and let them know the mistake so that the original person could see their offers and track their subscription. I headed to the website and noticed the login form on the first page.
Curiosity struck me. Was this one of those sites that people make fun of online with bad security? I clicked the link saying I forgot my password. They asked not for my username but for my email address. So I entered that. Next thing I know, my Inbox has an email from the craft site with the registered user's plaintext password!
Uh oh. Is this for real? What if I was a malicious user? I had to see how bad this situation really was. I logged into the user's account. I was able to find their home address and phone number, but thankfully (dear Lord, thankfully), the website made no mention of credit card numbers. I did not look to see if I could order more service; at that point and in my shock over the situation, I felt I was deep into some weird grey area and was way past my welcome. I logged out, found an online contact form, and explained the situation as well as how they could improve their system to avoid harm to their users.
The security mistakes in this situation were compounded.
(1) Email alerts went to the wrong person. If you verify the email, the right people get the messages. If you do not verify the email, the wrong person can mark your site as spam or take advantage of the situation.
(2) The site stored plaintext passwords. This was a craft site... By the name of the victim and other factors, I realized that this was some old lady who has faith in the trustworthiness of the Internet and probably, like most typical people, uses the same password for multiple sites. And this site happily handed it over to a stranger. That, my friends, is scary.
People make honest mistakes. If the email address is important for account management, send a verification email. And give the user an opportunity to fix the problem in the event that that verification fails in some way.
Personally with a fairly generic gmail address I see way too many random un-asked for messages with no opt-in confirmation.
And 10 lines of Perl? Lousy coder :P
This can turn out bad though. I thought I had an apple-id when buying something on the apple site recently. But my standard passwords didn't work so I reset the password (via an email sent to me personal email address from the password reset sequence). When I logged in I found that my email address was actually registered to someone else, and I had their name, full address, phone number and credit card number but with the first 12 digits X'd out.
The person has a similar name to mine, and my email address is my initials and last name, so I believe they just made a typo in the email address when they signed up. But it seems pretty bad that you can do that without verification when doing so can give someone your personal information.
A motivated scammer could register a bunch of typoed email addresses and try resetting apple-id passwords. Then you have a 1 in 333 chance of buying stuff with their credit card because you have to guess the security code (I'm guessing you get 3 chances but you might get more).
You have indeed. It is called "double opt-in" and legally required in many jurisdictions, before a web site can send you regular automated emails. Otherwise it might be considered Spam.
1. It's required by law in many places. That's why newsletter/auto-responder services use double opt-in.
2. If someone or something does sign-up on your behalf, why should you have to specifically opt out? So, it's always better to have someone confirm their e-mail, instead of having random users having to "opt out" of services they never signed up for.
3. Many a times, if it's some random site, the activation e-mail can go directly into your SPAM box. If an "opt out" type e-mail ends up in your SPAM box, then you probably won't see it, and it can potentially cause more damage.
4. For features like password reminder, it is always better, security-wise, to send the reset link to an e-mail you know for sure belongs to the account holder. If you mistyped your e-mail, and never received the conformation, you'd try creating an account again. However, if the account was activated by default, and you started using it right away, then you'd have all your e-mails going to someone else.
There might be more reasons...
I don't see how e-mail confirmation can be counted as "wasted seconds." It is to protect you. It's like taking a backup of your website. Many of them don't do it, because the few minutes it takes doesn't sound worthwhile. However, if the server crashes and your data is lost, only then you realize that those few minutes could have saved months of efforts.
The same tactic (along with 1x1px images etc) was already used by spammers to determine "alive" addresses, whose owners do read spam and do click on provided links.
That's the reason I'd be very annoyed if I'll get such email.
Let's say that Shutterstock wanted to expand - they want to allow new users to download ANY two images they wanted for free.
Would you advise them to go with a confirmation-less email routine? If so, how do you prevent bots from creating bogus signups and then (a) stealing your images at will, (b) so that they can resell/rehost them in Russia/China and make money/compete with you, and (c) clogging up all of your bandwidth?
For example, the bot signs up with 00001@gmail.com then downloads 60MB files while another bot uses 0002@gmail.com then downloading 60MB in files, etc.
And please - no solutions that require manual intervention or cannot scale.
Now, you might detect that bulkdownloadrobot.biz is a bad domain and blacklist it, but all I have to do is to register a new domain each time that happens.
So now you implement a heuristic that detects patterns of signups from domains. Now, I start buying Gmail accounts created by workers in a CAPTCHA-solving sweatshop.
You've increased my costs slightly, but you haven't solved the problem.