Adding friction to user registration should be done with caution, forcing users to go through your registration form <i>and then</i> refuse access to the site until they click on an activation link <i>and then</i> enter their registration information again is so much friction, it's going to drive users away and will frustrate those who do push through it... and it's completely unnecessary.<p>The problem this idea proposes to solve is an edge case, and there are better solutions. For example after registering an account a user can be immediately logged in with a banner displayed at the top until their account has been validated via email, with the option to change their email address if they entered it incorrectly on registration. There's no additional friction, and the minority of users who do make a mistake with their email are covered.
Most people will not encounter this problem.<p>- website that use a username as the primary identifier will make it clear that the email address has not yet been verified. They will nag the user to confirm the email address, or at least prominently indicate that the email is not yet verified. It will be difficult for the user to not notice an unverified email address.<p>- most websites use the email address as the identifier. If the user used the wrong email address to create the account, they will not be able to subsequently log in.<p>- some website require you to verify the email address before you create the account, even though they ask for all the information on a single signup form.
I ran into exactly this problem about two years ago with Google Apps for Work. I mistyped my email address, but was able to finish registration and start using it. When I noticed my error, there was no way to change the account's email address without confirming that through the original one, which I obviously couldn't. I had no other choice than letting go of the account.<p>It's quite silly because you'd think for a big platform like this, they would have thought about such a case, but they obviously didn't.
There's one major problem with this idea from user point of view:<p>when you have just a "enter your email" field and nothing more, you already gave someone an email and got nothing in exchange yet, then at the next step, you click the link, and they ask you about 100 mandatory things to finish registration, asking about everything including your shoe size. Then you might not want to register to this kind of site out of principle, and also can not unregister anymore usually.<p>(To be fair, sometimes pages have multi-step registration and do the same, asking few innocuous things first, and more privacy-invading things later. I hate that.)
A much easier, and already widespread, way to prevent the problem described in the post is to use the email address as the login username. It is highly unlikely that the same person will mistype the same email address every time he tries to log in, so the mistake will be caught very quickly even if someone else clicked the confirmation link.<p>If a person enters the wrong email address at signup, no damage is done. He can just sign up again with the correct email address. The account with the incorrect email address will either remain uncomfirmed and deleted at some point, or belong to someone else. Doesn't matter, it's an empty account. You should prune unconfirmed, empty accounts periodically anyway.<p>If you really want users to have a separate username, nickname, handle, or whatever, that's fine. But that should be separate from the login, especially if it's going to be visible to other users.
I wish this was the only problem with signing up to services, because it can be solved with formfills, verifying your email upon entering it, etc, etc.<p>As someone who got their last name at gmail in 2004, I've gotten a lot of emails for other people over the years, and A LOT of services don't require verifying your email for signing up.<p>I've gotten a Twitter, Instagram and Fiverr account without signing up (on top of probably hundreds of smaller services, golf clubs, local news, charities, etc), and definitely without ever clicking a link in an activation email I didn't sign up for. The latter of which I can't delete, nor change my username, effectively burning that email address for that service.<p>I'm sure those named services have since fixed that, but that it was ever an issue in the last 15 years baffles me.<p>Nowadays I use my own domains for email, so it matters less, but I wish even confirming emails at all for services was more enforced.<p>I'm sure this is all rooted in services wanting to grow their "user"base rather than have real users.
The article says the e-mail <i>was</i> confirmed, but by wrong person:<p>> the person that actually owned the jon.smith@email.com was a kid that was curious and clicked the email from TheService asking him to verify his email address.<p>Unfortunately, most comments to this article miss this point and argue about unconfirmed addresses instead.
Slack offers an optional 'magic email link' sign-in for people that can't remember or don't want to look up their password.<p>I wonder if anyone has implemented a non-optional version of this on any decent scale? i.e. is anyone using passwordless 'email link'-only login?
better idea:<p>if user doesnt verify email within a few days, that email "expires" and is removed from the account. Add a message to nag the user to add a proper email to their account.<p>this removes the edge case mentioned in the article and reduces sign up friction.
A possible solution: a) Allow multiple registrations with the same email until a confirmation click happens and b) require a browser session or password to confirm.<p>Doesn't this solve the issue presented?