4

I have an app, and when they first login, I send a classic confirmation email. When users need to reinstall the app, sometimes users send messages to our support saying: "I don't remember the email used to register my account, how can I have the verification code?"

This is pretty annoying, so I thought about sending to users a message like 'we sent a verification code to a***@gmail.com' but I'm getting worried about security issues and data protection policies. What do you think? Could this be a security problem? Do you know a better way?

schroeder
  • 123,438
  • 55
  • 284
  • 319
JungleFever
  • 41
  • 1
  • 5
    So how do they even log in? How do you know, which account is theirs? I would expect they need to enter email to log in. – Peter Harmann May 02 '18 at 15:10
  • If this is a mobile app, all the popular mobile platforms (Android, iOS) have sign in mechanisms using Google Account or Apple ID, which would remove the question of which email address to use or the need for (user-visible) verification code. As long as the user is signed in to the phone using the same account, they access the same account on your app. – Lie Ryan Aug 01 '18 at 02:06

3 Answers3

2

Reinstalling shouldn't need a verification code, if they have their name and password to login. Reinstall on fresh device, log in, there is your account.

Password reset, on the other hand, implies they have lost/forgotten password, but still know their username. If their username was their email, then they know which email they've signed up with.

So I have to assume they gave you an email address when they signed up, but don't use that to login, they use some sort of other username.

If they don't know the email address, and they don't know the password, they need to provide some form of proof of ownership/control over the account.

Not knowing what your app specifically does, I can't suggest anything, other than, would support have access to anything only the account owner would know (e.g. value of last bank balance)?

Yes, that's what the email address was supposed to have been, but perhaps you could use something else for verification?

JesseM
  • 1,882
  • 9
  • 9
  • They may use the login an email address that they no longer use... In that case they would know the email but have no way to read it. – Serge Ballesta Aug 01 '18 at 09:08
0

During registration, you can send an email to the user containing their account details. Tell the user to keep the email "for your record". In this email, you may want to include searchable keywords that are not likely found in any other emails from you. This email shouldn't contain any sensitive credentials (e.g. passwords, one time tokens). Most email providers nowadays comes with sufficient mailbox size so that most users never really need to delete any emails.

If a user forgets which if their email accounts they used to register, you can tell them to search their mailboxes for your registration email.

Lie Ryan
  • 31,089
  • 6
  • 68
  • 93
0

IMHO there is nothing wrong here. You need to keep the mail address that was used for registration, because it is used for every access. Just saying

we sent a verification code to a***@gmail.com

even with the full mail address does not seem wrong either. An email address is indeed a personal and rather sensitive information, so you should not let it in public place, but sending it in a point to point communication to the presumed owner is not a fault. An attacker should still be able to read the mail, and the user (not you) is responsable for securing it.

Simply it should be noticed in the conditions of usage that you can send such an email if the user cannot remember it. IANAL, but I always prefere to warn about possible sending of sensitive informations.

Serge Ballesta
  • 25,636
  • 4
  • 42
  • 84