<i>Perhaps I’ve missed some obvious reason why the industry still does this.</i><p>Because if you get a random email from some site you've never signed up for, there are two possible scenarios that you cannot distinguish between:<p>1) Somebody has maliciously signed you up to a legitimate site.
2) A malicious site is trying to get you to click a random link.<p>This proposal suffers from a common flaw, in which people assume they can change just one thing and have everything else in the world stay the same. Systems don't work like that.
I just want to attach an anecdote here and explain why I prefer confirmation emails.<p>One day, somewhere in the last couple months, I checked my email box and saw a message from some craft site. It was informing me that my paid subscription was activated and that I was entitled to X, Y, and Z services. I ignored it. I received another related email the next day. I ignored that, too. When I received a third with another advertisement, I realized this was legitimate and that someone had accidentally used my email address! My inclination was to find someone in control of the site and let them know the mistake so that the original person could see their offers and track their subscription. I headed to the website and noticed the login form on the first page.<p>Curiosity struck me. Was this one of those sites that people make fun of online with bad security? I clicked the link saying I forgot my password. They asked not for my username but for my email address. So I entered that. Next thing I know, my Inbox has an email from the craft site <i>with the registered user's plaintext password</i>!<p>Uh oh. Is this for real? What if I was a malicious user? I had to see how bad this situation really was. I logged into the user's account. I was able to find their home address and phone number, but thankfully (dear Lord, thankfully), the website made no mention of credit card numbers. I did not look to see if I could order more service; at that point and in my shock over the situation, I felt I was deep into some weird grey area and was way past my welcome. I logged out, found an online contact form, and explained the situation as well as how they could improve their system to avoid harm to their users.<p>The security mistakes in this situation were compounded.<p>(1) Email alerts went to the wrong person. If you verify the email, the right people get the messages. If you do not verify the email, the wrong person can mark your site as spam or take advantage of the situation.<p>(2) The site stored plaintext passwords. This was a craft site... By the name of the victim and other factors, I realized that this was some old lady who has faith in the trustworthiness of the Internet and probably, like most typical people, uses the same password for multiple sites. And this site happily handed it over to a stranger. That, my friends, is scary.<p>People make honest mistakes. If the email address is important for account management, <i>send a verification email</i>. And give the user an opportunity to fix the problem in the event that that verification fails in some way.
This article misses a key point. If you want to confirm that the person who opted into your service is who they say they are. Otherwise, you're looking forward to abuse complaints from email recipients, and it only takes a few of those to suspend your Mailchimp (or whatever delivery service) account. You can also add non-compliance with spam, privacy and other laws to the list of fun things that could happen if you take this article's advice.
The article assumes that people are happy to click on a link within an email from an unrecognised source, in order to cancel a fake member account. This rings all sorts of alarm bells, I would never do that.<p>If I got an email like that, I would click the spam button and the server would probably face regular spam blacklist issues from big providers.
I'm more annoyed by having to pick a (unique) username. My name is too long and too common, all of the nice short versions are always already gone and why the hell am I so often not allowed to separate my first and (abbreviated) last name with a dot? Use my email address as the unique identifier and let me enter my first and last name or a nickname (which doesn't have to be unique), please.<p>Don't make me think. You should never ever have to show me the "This name is already in use." message. Your design shouldn't even need it. Not everyone has or would like to have an (as unique as possible) nickname on the web they would like to use.<p>(Unique) usernames are the one vestige of the old web I would like to get rid of post haste. Call me Michael. (I still positively remember signing up to Facebook because I didn't have to pick a username.)
"When I’m checking my email, the last thing I want to do is context switch back to the app."<p>Umm you are signing up for a service, when you click the "register" button, you are usually presented with a message "check your email for a confirmation link" so you go do that. Where is context switching here?<p>Most of the users don't signup for something and then forget about it until they, by accident, stumble upon the email when they check their inbox the next time. Or am I wrong?
<i>Perhaps I’ve missed some obvious reason why the industry still does this.</i><p>It's called double opt-in. It proves you're giving consent to be a member.
Apple id seems to implement the proposed solution. They send a verification email but you don't actually have to click the link, you can just ignore it and your account works.<p>This can turn out bad though. I thought I had an apple-id when buying something on the apple site recently. But my standard passwords didn't work so I reset the password (via an email sent to me personal email address from the password reset sequence). When I logged in I found that my email address was actually registered to someone else, and I had their name, full address, phone number and credit card number but with the first 12 digits X'd out.<p>The person has a similar name to mine, and my email address is my initials and last name, so I believe they just made a typo in the email address when they signed up. But it seems pretty bad that you can do that without verification when doing so can give someone your personal information.<p>A motivated scammer could register a bunch of typoed email addresses and try resetting apple-id passwords. Then you have a 1 in 333 chance of buying stuff with their credit card because you have to guess the security code (I'm guessing you get 3 chances but you might get more).
Strongly disagree. All of the identity issues aside, ensuring deliverability is another key issue. Some email providers can be very aggressive when it comes to marking emails from new services as spam. Getting a user to pick a confirmation email out of their spam folder and click "Not Spam" is the most important action that user can do as part of the signup process, otherwise you will never reach that person's inbox again.
"When I’m checking my email, the last thing I want to do is context switch back to the app."<p>Because it's really that hard to Ctrl+click a link in an email, archive it, and move on to the next email?
In short, we can summarize the reasons why e-mail confirmation is necessary:<p>1. It's required by law in many places. That's why newsletter/auto-responder services use double opt-in.<p>2. If someone or something does sign-up on your behalf, why should you have to specifically opt out? So, it's always better to have someone confirm their e-mail, instead of having random users having to "opt out" of services they never signed up for.<p>3. Many a times, if it's some random site, the activation e-mail can go directly into your SPAM box. If an "opt out" type e-mail ends up in your SPAM box, then you probably won't see it, and it can potentially cause more damage.<p>4. For features like password reminder, it is always better, security-wise, to send the reset link to an e-mail you know for sure belongs to the account holder. If you mistyped your e-mail, and never received the conformation, you'd try creating an account again. However, if the account was activated by default, and you started using it right away, then you'd have all your e-mails going to someone else.<p>There might be more reasons...<p>I don't see how e-mail confirmation can be counted as "wasted seconds." It is to protect you. It's like taking a backup of your website. Many of them don't do it, because the few minutes it takes doesn't sound worthwhile. However, if the server crashes and your data is lost, only then you realize that those few minutes could have saved months of efforts.
For all of you folks who say that confirmation emails are a bad idea, let's talk about a service in which the user can download large files once they are "confirmed". I'm thinking of a site like <a href="http://www.shutterstock.com/" rel="nofollow">http://www.shutterstock.com/</a>. They offer two free downloads per week and those files can be up to 30MB each.<p>Let's say that Shutterstock wanted to expand - they want to allow new users to download ANY two images they wanted for free.<p>Would you advise them to go with a confirmation-less email routine? If so, how do you prevent bots from creating bogus signups and then (a) stealing your images at will, (b) so that they can resell/rehost them in Russia/China and make money/compete with you, and (c) clogging up all of your bandwidth?<p>For example, the bot signs up with 00001@gmail.com then downloads 60MB files while another bot uses 0002@gmail.com then downloading 60MB in files, etc.<p>And please - no solutions that require manual intervention or cannot scale.
They can't be avoided in most cases. Among a host of other reasons, there are the opt-in laws in the US & EU
<a href="http://www.lsoft.com/resources/optinlaws.asp" rel="nofollow">http://www.lsoft.com/resources/optinlaws.asp</a>
> In the edge case, where some unauthorized person has signed up using my email, then include some directions at the bottom of the email that instruct me how to deal with the abuse.<p>The same tactic (along with 1x1px images etc) was already used by spammers to determine "alive" addresses, whose owners do read spam and do click on provided links.<p>That's the reason I'd be very annoyed if I'll get such email.
>> Perhaps I’ve missed some obvious reason why the industry still does this.<p>You have indeed. It is called "double opt-in" and legally required in many jurisdictions, before a web site can send you regular automated emails. Otherwise it might be considered Spam.
Let assume someone signs you up for a dating site, creating your fake profile there. And uses some of your less frequent used email addresses, which you might be checking just a few times per year. Are you comfortable with scenario like that?
I'd much prefer sites to have the confirmation requirement.<p>Personally with a fairly generic gmail address I see way too many random un-asked for messages with no opt-in confirmation.<p>And 10 lines of Perl? Lousy coder :P
A site needs to know email is valid before allowing it to be used to log in. In OP's world malicious attacker can do whatever between time they register and time (if ever) email's owner clicks the "wtf, not me" link.
So the overwhelming attitude here is that the advice in the link is bad, so why does it still have 32 points and waste my time by being on the front page? Please down vote articles like this.
We have a better way of signing up on qbix.com<p>Try it :)
The email is used to set up your password, but you are able to use the app the first time without it! That way you will likely visit the app again when you check your email.