Ask HN: Why don't email verifications ever let me DENY the verification?
They never ever seem to have a button that says "DENY VERIFICATION " or "Nope, that's not me"
Small shops I never heard of and big, international, well known businesses - they never have a "Do not approve / register / verify" button.
(Today I just got half a dozen emails from PayPal - apparently somebody is using my email address to register. Based on subsequent emails, even though this email was never verified, they continue to do their business and register. PayPal won't let me deny usage of my email, submit a ticket, or contact support for help without logging in, which obviously I cannot and do not want to do - I'm not to the one who got registered!).
So what is the point in email verification emails, if there's no way to deny it / indicate "Nope that's not me, don't do it"?
6 comments
[ 2.8 ms ] story [ 27.2 ms ] threadI suspect the reason for not having an explicit 'deny' button is based on cost-benefit analysis. The benefits might be limited to 1. Improved user satisfaction, and 2. Minimise the risk that a user might accidentally click the confirmation link. But I suspect these aren't enough to outweigh the extra (arguably unnecessary) effort of implementing it.
It does not seem to work in practice. I get a huge amount of daily email from various registered accounts with "unverified email". I assume somewhere on an ignored dashboard user sees a "unverified email" note, but it certainly does not, on average, stop the business from continued use of unverified email - and again, I've experienced this for small and large businesses alike.
It doesn't, though, because services often have a limited pending verification state, and no negative exit from that state. If it actually implied denial, then at some time in the pending state without confirmation, it would enter a failure state (which would probably curtail most access until a new email was provided.) Even then, it would be desirable to allow the actual mail account owner to trigger a fast-denial rather than relying on a implied denial by timeout.
I don't know if they have that on the initial signup and email verification though.