13

Most popular applications nowadays require account activation by email. I've never done it with apps that I've developed so am I missing some crucial security feature?

By email activation I mean when you register to a site they send you an email that contains a link that you have to click before your account gets activated.

palto
  • 824
  • 1
  • 8
  • 17
  • Let's hope that [SQRL](https://www.grc.com/sqrl/sqrl.htm) will change this very annoying thing – sakisk Mar 17 '14 at 11:48
  • 1
    I've gotten multiple good answers on this. The problem is that maybe I asked the wrong way because I assumed it must be because of security. Confirmed Opt In thing is making sure that we don't send spam to people that don't want it. – palto Mar 17 '14 at 12:25
  • Then again confirmed opt in might be about security because without it a malicious user might register a number of bogus addresses. If you keep sending emails to those addresses you might end up in a spam list. – palto Mar 17 '14 at 12:27
  • 1
    This question appears to be off-topic because it is about information security. This question very likely already has similar questions and answers there. Possible duplicate: http://security.stackexchange.com/questions/13983/password-sent-via-email-upon-registration Thank you. – maple_shaft Mar 17 '14 at 12:47
  • 1
    They want to make sure you provide your actual email address, not a bogus one. – Andy Mar 16 '14 at 16:33

6 Answers6

25

Activation confirms the email is yours. It's not so much about being bogus or non-existent, as it is about being yours and they need it for an alternative/plan-b way of authentication, in first place.

Nikolay Tsenkov
  • 626
  • 5
  • 11
  • 1
    This is the most relevant answer concerning security. What if I register with YOUR email? However I think there might be other reasons involved, such as **resetting passwords**, sending important and/or personal info, promotion, etc. – Francisco Presencia Mar 16 '14 at 18:39
  • I you register with my email, I receive the confirmation request and that should make me suspicious. And of course, I need to be sure the email is correct due to be able, for instance, to reset the password. – Andrea Girardi Mar 17 '14 at 11:41
  • 3
    +1 but "the email is yours" is not quite true. It only ensures that the one signing up has __access__ to the e-mail account. Nothing more. – Marjan Venema Mar 17 '14 at 12:40
9

Most web services want to be able to contact users, and use email for that. In particular, the user forgets their password, the fact that they can read an email at the address the service has on file authenticates them as the legitimate user, who is allowed to reset the password. Email can also be a way to inform you of important updates (a.k.a. spam you).

In order for the service to validate the email, it must ensure that the user who is creating the account does have access to that email. This is both to protect the user against a typo in the email address, and to protect the site's ability to spam.

You don't have to require an email to subscribe to your service. However, when users forget their credentials, they'll be unhappy. Email password resets are the norm.

If the user chooses a disposable email address, it's a deliberate choice from them not to have exclusive control over the account. Some sites that want to spam try to reject such addresses, although it is of course futile (big sites like Gmail also let you create disposable addresses, after all).

Gilles 'SO- stop being evil'
  • 2,680
  • 1
  • 21
  • 26
7

Confirmed Opt-In could also be done to comply with anti-spam laws for another reason to send a link in the e-mail.

JB King
  • 16,795
  • 1
  • 40
  • 76
  • yup. Would be so easy for someone to sign up another person he has taken a dislike to for a few thousand mailing lists... – jwenting Mar 17 '14 at 09:11
1

Yes you are. By verification of the email address you are making sure that the account holder owns that address.

Later if someone else tries to sign up with the same address this won't be possible as you've already verified that the correct owner already has the account.

Basically it ensures people who are who they say they are. If you had a social networking site where people could add contacts by email address, this will limit what a fraudulent user could do by using the address of another person.

SilverlightFox
  • 161
  • 6
  • "owns that address" It only ensures that the one signing up has __access__ to the e-mail account. Nothing more. – Marjan Venema Mar 17 '14 at 12:38
  • @MarjanVenema More technically: access to the HTTP stream that the email passes through or the storage where the email resides, but for most intents and purposes you are stopping someone else signing up using another's address. – SilverlightFox Mar 17 '14 at 13:16
  • Indeed, just don't count on the one using the e-mail address actually being the owner of that address. People share way too many things with their friends and families. When things go sour bogus accounts _are_ created using former friends'/partner's "credentials". – Marjan Venema Mar 17 '14 at 13:25
1

A few frequently used reasons are:

  • Making sure the email address is valid.
  • Making sure the user owns the email address.
  • Making sure the user WANTS to subscribe.
  • Making sure that future communication can process properly.
  • Giving the user a confirmation that he subscribed and a digital trail.
Nzall
  • 1,326
  • 9
  • 15
  • is this only your personal opinion or you can back it up somehow? – gnat Mar 17 '14 at 11:05
  • I think my choice of words was a bit off. I didn't mean to give a ranking or state "these are always the most frequently used reasons", but more like a summary, indicating "These are frequent reasons for requiring activations, but not in any specific order or ranking." I've edited my post to clear this up. – Nzall Mar 17 '14 at 11:15
  • 2
    "Making sure the user owns the email address." It only ensures that the one signing up has __access__ to the e-mail account. Nothing more. – Marjan Venema Mar 17 '14 at 12:38
1

I think it depends on the possibilities that you give to your user. Can he or she send messages to other users and spam them with adverts? Can he or she post on your site and post viagra ads everywhere? Can he or she upload a lot of files and fill your precious server space. If anything of the above or something else that could be used for spamming or trashing up your server is existent, you want it to make as hard as possible for a spammers to sign up to your site. And so e-mail authentication is one another step that makes it hard for spammers to pretend to be a human.

To achieve this you should use email authentication with a form that makes it also hard for machines to be filled out with using a captcha or other techniques and you also should block trash mail services.

Christoph
  • 111
  • 1