When registering for most websites, why do you need to confirm your email address?

Question

I'm working on a site which allows users to sign up for a service. They choose a username/password, enter their personal details, etc and proceed into the site, their details being stored for future visits.

Currently, we don't ask for confirmation of the user's email address like most websites do.

The main function of the site is to process payment information for the service being offered but the client will likely want to expand the functionality of the site in the near future.

So my question is, should I be implementing an email confirmation system for new users and what are the risks to the site if I don't?

In addition to the answers provided, it's also handy as it stops users impersonating others to a degree (prevents them using someone else's email address) — fin1te, Aug 15 '12 at 17:57
This has more to do with trying to prove an actual human signed up instead of web crawler. While it can be trivial to parse an email for links, bobince makes it sounds a great deal easier then it actually is, depending how complicate the formatting within the actual email is. — Ramhound, Aug 16 '12 at 11:37

score 19 · Accepted Answer · answered Aug 15 '12 at 21:52

19

You will want to be sure that a user's e-mail address is correct if you intend to send mail to it that is either:

security-sensitive (eg forgotten password reset token), or
recurring/high-quantity, to avoid harassing some other person whose address has been entered.

This is typically more about weeding out incorrect addresses that have been entered by mistake than some malicious attack.

If you never intend to send mail to the address, you're only really using it as a fixed-format username and there is no particular need to validate it. But I would imagine that's an option you probably want to keep open.

E-mail validation is not about rate-limiting sign-ups. It's totally ineffective at this for anything but low-motivation/untargeted attacks, because there is no scarcity factor on e-mail addresses. It's trivial for an attacker to register some domains, use unlimited random e-mail addresses on them, and validate using an automated tool reading their inboxes.

answered Aug 15 '12 at 21:52

bobince

12,494
1
26
42

Typically email resets come from pages where the user enters the email for which they need a reset. So if a user used a wrong email (maybe a typo) when signing up, they'd just get "No account for this email" on the password reset page, right? So where would the security risk be. – Garrett Dec 12 '20 at 21:30
@Garrett If a password reset page is developed securely, it should always reply with something like, "An email has been sent to this address. Please check your inbox for further instructions." Otherwise, it is possible to enumerate user accounts based on the form's response. This can also have privacy implications depending on the context. Troy Hunt has a good guide about this if you want further information: https://www.troyhunt.com/everything-you-ever-wanted-to-know/ – jsaigle Jul 09 '21 at 17:21
I can avoid confirming email address usage on the Reset Password page, but not sure how much good that does considering on the Signup page, I believe I have no choice but to confirm if the email is a user or not. – Garrett Jul 09 '21 at 19:39
[Here's](https://security.stackexchange.com/a/40695/137219) more on the topic of confirming emails. – Garrett Oct 22 '21 at 02:48

Mike Samuel · Answer 2 · 2012-08-16T08:14:25.443

If you plan on sending email to that address then you need to verify to avoid being identified as a spammer.

If you ask the user to agree to a contract and you can't verify identity based on some other information like a CC#, then you need to verify. If not, then if you ever need to go to court for breach of contract, you have no evidence that the person you're suing was the one who used the service.

If you are legally required to limit access to your site (for example, to people of a certain age), then not taking common steps like verifying email could be used against you as evidence that you're not serious about filtering your clientele, even if you have other methods to filter.

score 4 · Answer 3 · answered Aug 15 '12 at 16:28

You should implement e-mail confirmation for new users, if for nothing else than 'security theater,' users expect that once they sign up for a service using an e-mail as an identifier they expect verification.

Taking your question in a vacuum without making further assumptions, the risk to your users or really potential users is relatively low. The risk to your infrastructure could be significant, once your man-hours to fix and vet user ids has surpassed the amount of time it would have taken to standup a system to verify e-mail addresses.

score 2 · Answer 4 · edited Mar 18 '21 at 17:11

Email confirmation will help you determine that the person who says their email is foo@bar.com actually has control of this email.

The benefits of forcing them to confirm their email are:

You verify that the email address exists and mails can be sent to it
You verify that they actually have access to the inbox

should I be implementing an email confirmation system for new users and what are the risks to the site if I don't?

If you intend on sending mail for any reason, it's really a good idea to confirm the email address.

If you don't confirm the users email then you risk:

sending email to somebody that doesn't want it
the email bouncing back because it doesn't exist
sending sensitive information to the wrong address (this could be intentional by the user, or they could have mistyped their email)

score 1 · Answer 5 · answered Aug 15 '12 at 16:20

1

Because chances are you will attract spammers that create thousands of account an hour. With registering an email address you reduce this number significantly.

answered Aug 15 '12 at 16:20

Lucas Kauffman

54,169
17
112
196

the rate limiting aspect of this is a large part of why you might consider it. – Bill Aug 15 '12 at 16:31
3

How does this effectively rate limit? If someone has a domain then they have a virtually unlimited number of domains, and writing something that scans mail and GETs URLs in them is trivial. – Mike Samuel Aug 16 '12 at 06:32
2

@MikeSamuel, it does work in practice because most Spammer don't care at the moment. – Hendrik Brummermann Aug 16 '12 at 09:14
@HendrikBrummermann, It doesn't make sense to say that something works when it's likely to stop working as soon as it matters. – Mike Samuel Aug 16 '12 at 15:32
1

A domain is a lot more simple to block and delete than when an open registry system is used – Lucas Kauffman Aug 16 '12 at 16:36
1

@MikeSamuel "_It doesn't make sense to say that something works when it's likely to stop working as soon as it matters_" Sadly, many anti-spam methods have this property (see grey listing). – curiousguy Aug 16 '12 at 16:38
@curiousguy, fair enough. – Mike Samuel Aug 16 '12 at 16:43

score 0 · Answer 6 · answered Jul 09 '21 at 17:24

In addition to what others have said, there might be an opportunity for phishing depending on the features of the web app.

For example, if the website <domain>.com allows me to register myself using the email admin@<domain>.com without requiring any proof that I own that email, I may be able to trick other users into divulging sensitive information to me. This could happen in the context of a messaging feature where users are identified to each other using email addresses only.

When registering for most websites, why do you need to confirm your email address?

6 Answers6