0

I have a registration login process which includes a one-time activation link sent via email when the user registers. When the user clicks the link the account get's activated.

Now what error message should/can i show to the user when he tries to login with valid credentials but the account not yet activated via this one-time link? Can i show him an informative message the he needs to activate his account via the link from the mail? Or is this dangerous because it suggests that the credentials are valid?

Robert Niestroj
  • 101
  • 2
  • 1
    I'm not sure how verifying that the credentials are valid is bad... You have the same problem with an activated account. If the credentials are valid, then the person can log in. – schroeder Dec 02 '20 at 11:12

1 Answers1

1

Tell the user that the account is not active, he must click on the link received by email, or ask for a new link. I don't see anything wrong about informing him about the account status.

If an user is in possession of the login details of the account, it does not matter if he is the owner or not, he will be able to login after the account is active, so changing the message here does little to increase security.

On a side note, you should delete accounts that still are not activated after two or three days. If the account is not activated after that, probably the user entered the wrong email, or don't intend to finish the creation. It can lead to confusion if your user list leaks and president@us.gov is one of your users.

ThoriumBR
  • 50,648
  • 13
  • 127
  • 142