4

I do not want to discuss the pros and cons of email validation, but want to know if there are any potential downsides (security and otherwise) to a user entering his password only after he has already validated his email address (clicked the activation link)?

The flow would be:

  1. User enters email address.

  2. User validates email address through the activation link he received to his inbox.

  3. User enters password.

  4. User accesses the web app for the first time.

Hawkken
  • 41
  • 3
  • do you mean as part of a signup flow? so user enters an email address to register, you send a link to validate, then the user sets up their password? – Jay Nov 02 '15 at 08:38
  • @Jay exactly as you described :) – Hawkken Nov 02 '15 at 08:42
  • ok, are you going to allow the user to have access to the site before confirming their email and setting their password, or is that step mandatory? What happens if a user tries to log in without validating their email address? – Jay Nov 02 '15 at 08:48
  • @Jay User cannot access the site in any capacity without validating his email address. – Hawkken Nov 02 '15 at 08:53
  • 1
    I think you would get more users to sign up initially due to the ease of access, I can't see any security problems with the process you have proposed – Arlix Nov 02 '15 at 09:46

1 Answers1

3

From a security standpoint, I can't see any problem with this flow. It actually may be more secure than requesting user details and then verifying the email address. A user could enter an incorrect email address end end up giving access to their account to a random third party. In your scenario, there is no account to access.

You will have the possibility of someone enumerating existing users email addresses by repeatedly entering email address on the registration page and looking for error messages, but that would also be possible in a traditional 'email and password together' flow. Provided you put some sort of rate limit or captcha on that page, you should be fine.

You may loose a few user signups from this flow, there will always be users who never bother to complete the extra signup step. Depending on what service you are offering, this could be more or less likely.

Jay
  • 1,565
  • 1
  • 10
  • 12
  • That is good to hear :) It is true however there will be some drop off at the password entering step, but I think that I might get more users to initiate the signup process as it now starts with only one input field (the email address). Would you disagree with this assessment? – Hawkken Nov 02 '15 at 09:34
  • Yeah its possible, very much depends on what service you offer and how much the user wants access to it. You are right that you will likely get more users to enter an email address, but what percentage of those will click the link and continue is a bit harder to predict. – Jay Nov 02 '15 at 09:48
  • It will be good to redirect to normal login form and requesting to enter both username and password. – haseeb Nov 06 '15 at 14:41