The most secure way to handle someone forgetting to verify their account?Login form authentication logicIs this a good way to handle login processShould email verification be followed by password-based login? Why?Whats the most secure way to send user data from client to server?Copying the email address to a forgotten password pageIs it posible to validate a new user account/reset password without sending an email or phone number?How do i verify a banks contact number is correct?System to verify personal information without revealingDifferent email address in the email and the cancellation link in “Security alert for your linked Google Account”Why would someone open a Netflix account using my Gmail address?

In this iconic lunar orbit rendezvous photo of John Houbolt, why do arrows #5 and #6 point the "wrong" way?

Strategy to pay off revolving debt while building reserve savings fund?

Why a binary file is not shown as 0 and 1?

How to find location on Cambridge-Mildenhall railway that still has tracks/rails?

Why did Fury respond that way?

Operation Unzalgo

How can I help our ranger feel special about her beast companion?

Locked-up DOS computer beeped on keypress. What mechanism caused that?

Term “console” in game consoles

Is there a difference between PIO and GPIO pins?

Is it ethical for a company to ask its employees to move furniture on a weekend?

Is it possible to have two words with the same particle in a sentence?

"Je suis petite, moi?", purpose of the "moi"?

Drawing a circle with nodes shift with Tikz

Why do space operations use "nominal" to mean "working correctly"?

Demographic consequences of closed loop reincarnation

How did Jayne know when to shoot?

How to interpret a promising preprint that was never published?

When designing an adventure, how can I ensure a continuous player experience in a setting that's likely to favor TPKs?

What is the period of Langton's ant on a torus?

Random piece of plastic

Practical example in using (homotopy) type theory

What would be the safest way to drop thousands of small, hard objects from a typical, high wing, GA airplane?

How to tell the object type of an Attachment



The most secure way to handle someone forgetting to verify their account?


Login form authentication logicIs this a good way to handle login processShould email verification be followed by password-based login? Why?Whats the most secure way to send user data from client to server?Copying the email address to a forgotten password pageIs it posible to validate a new user account/reset password without sending an email or phone number?How do i verify a banks contact number is correct?System to verify personal information without revealingDifferent email address in the email and the cancellation link in “Security alert for your linked Google Account”Why would someone open a Netflix account using my Gmail address?






.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;








2















Suppose we send out email verification to new subscribers that where they have to click on a link to verify their account.



Suppose they forget to verify it, and later try to login.



Should the error message say "Your user name or password is incorrect?", instead of letting them know that they have forgotten to verify the account.



I assume this is the most secure way of handling it, because if we tell them that they have to verify the account, we are letting them know that an account with that userid exists ...



Thoughts?



Perhaps the best way to handle it is to allow them to access the account, but don't let them do anything in it until they are verified?






authentication password-cracking account-security oauth credentials







share|improve this question






















  • You have their email. You could email them again.

    – Nic Hartley
    8 hours ago

















2















Suppose we send out email verification to new subscribers that where they have to click on a link to verify their account.



Suppose they forget to verify it, and later try to login.



Should the error message say "Your user name or password is incorrect?", instead of letting them know that they have forgotten to verify the account.



I assume this is the most secure way of handling it, because if we tell them that they have to verify the account, we are letting them know that an account with that userid exists ...



Thoughts?



Perhaps the best way to handle it is to allow them to access the account, but don't let them do anything in it until they are verified?






authentication password-cracking account-security oauth credentials







share|improve this question






















  • You have their email. You could email them again.

    – Nic Hartley
    8 hours ago













2












2








2








Suppose we send out email verification to new subscribers that where they have to click on a link to verify their account.



Suppose they forget to verify it, and later try to login.



Should the error message say "Your user name or password is incorrect?", instead of letting them know that they have forgotten to verify the account.



I assume this is the most secure way of handling it, because if we tell them that they have to verify the account, we are letting them know that an account with that userid exists ...



Thoughts?



Perhaps the best way to handle it is to allow them to access the account, but don't let them do anything in it until they are verified?






authentication password-cracking account-security oauth credentials







share|improve this question














Suppose we send out email verification to new subscribers that where they have to click on a link to verify their account.



Suppose they forget to verify it, and later try to login.



Should the error message say "Your user name or password is incorrect?", instead of letting them know that they have forgotten to verify the account.



I assume this is the most secure way of handling it, because if we tell them that they have to verify the account, we are letting them know that an account with that userid exists ...



Thoughts?



Perhaps the best way to handle it is to allow them to access the account, but don't let them do anything in it until they are verified?






authentication password-cracking account-security oauth credentials




authentication password-cracking account-security oauth credentials






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked 8 hours ago









OleOle

1446 bronze badges




1446 bronze badges












  • You have their email. You could email them again.

    – Nic Hartley
    8 hours ago

















  • You have their email. You could email them again.

    – Nic Hartley
    8 hours ago
















You have their email. You could email them again.

– Nic Hartley
8 hours ago





You have their email. You could email them again.

– Nic Hartley
8 hours ago










2 Answers
2






active

oldest

votes


















5














What I see most commonly is allowing the authentication and signing the user in, but locking meaningful features away until the email is verified. You should bubble up an error reminding the user to re-send an activation email if they try to access one of the restricted features.



It is poor design to ever lie to a user - if they submit the correct username and password, you should never show an error claiming that either is incorrect.






share|improve this answer























  • I would put a full page nagging screen telling him to activate the account first and a button to confirm and re-send the activation email.

    – ThoriumBR
    8 hours ago


















1














I agree with Buffalo5ix, but email verification should not be considered a part of account security. Email verification:



  • proves the ownership of the address, just to know that the user has entered correct address for you to send spam password recovery emails.

  • serves as a very light deterrent for registering multiple fake accounts. It's pretty easy to automate the creation of email addresses (by using tempmail/hosting your own email server) and automatically click the validation links, so CAPTCHA would be a better system to protect against automated registration of fake accounts.

I can't see any security-related reason why you should lock the unverified accounts in any way. I prefer the small banner on top of the screen reminding me to verify account and prompting to re-send the verification email. Treating user like a suspected criminal or nagging them right after they've registered just isn't polite, make them welcome.






share|improve this answer



























    Your Answer








    StackExchange.ready(function()
    var channelOptions =
    tags: "".split(" "),
    id: "162"
    ;
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function()
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled)
    StackExchange.using("snippets", function()
    createEditor();
    );

    else
    createEditor();

    );

    function createEditor()
    StackExchange.prepareEditor(
    heartbeatType: 'answer',
    autoActivateHeartbeat: false,
    convertImagesToLinks: false,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: null,
    bindNavPrevention: true,
    postfix: "",
    imageUploader:
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    ,
    noCode: true, onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    );



    );













    draft saved

    draft discarded


















    StackExchange.ready(
    function ()
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f213715%2fthe-most-secure-way-to-handle-someone-forgetting-to-verify-their-account%23new-answer', 'question_page');

    );

    Post as a guest















    Required, but never shown

























    2 Answers
    2






    active

    oldest

    votes








    2 Answers
    2






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes









    5














    What I see most commonly is allowing the authentication and signing the user in, but locking meaningful features away until the email is verified. You should bubble up an error reminding the user to re-send an activation email if they try to access one of the restricted features.



    It is poor design to ever lie to a user - if they submit the correct username and password, you should never show an error claiming that either is incorrect.






    share|improve this answer























    • I would put a full page nagging screen telling him to activate the account first and a button to confirm and re-send the activation email.

      – ThoriumBR
      8 hours ago















    5














    What I see most commonly is allowing the authentication and signing the user in, but locking meaningful features away until the email is verified. You should bubble up an error reminding the user to re-send an activation email if they try to access one of the restricted features.



    It is poor design to ever lie to a user - if they submit the correct username and password, you should never show an error claiming that either is incorrect.






    share|improve this answer























    • I would put a full page nagging screen telling him to activate the account first and a button to confirm and re-send the activation email.

      – ThoriumBR
      8 hours ago













    5












    5








    5







    What I see most commonly is allowing the authentication and signing the user in, but locking meaningful features away until the email is verified. You should bubble up an error reminding the user to re-send an activation email if they try to access one of the restricted features.



    It is poor design to ever lie to a user - if they submit the correct username and password, you should never show an error claiming that either is incorrect.






    share|improve this answer













    What I see most commonly is allowing the authentication and signing the user in, but locking meaningful features away until the email is verified. You should bubble up an error reminding the user to re-send an activation email if they try to access one of the restricted features.



    It is poor design to ever lie to a user - if they submit the correct username and password, you should never show an error claiming that either is incorrect.







    share|improve this answer












    share|improve this answer



    share|improve this answer










    answered 8 hours ago









    Buffalo5ixBuffalo5ix

    1,4815 silver badges15 bronze badges




    1,4815 silver badges15 bronze badges












    • I would put a full page nagging screen telling him to activate the account first and a button to confirm and re-send the activation email.

      – ThoriumBR
      8 hours ago

















    • I would put a full page nagging screen telling him to activate the account first and a button to confirm and re-send the activation email.

      – ThoriumBR
      8 hours ago
















    I would put a full page nagging screen telling him to activate the account first and a button to confirm and re-send the activation email.

    – ThoriumBR
    8 hours ago





    I would put a full page nagging screen telling him to activate the account first and a button to confirm and re-send the activation email.

    – ThoriumBR
    8 hours ago













    1














    I agree with Buffalo5ix, but email verification should not be considered a part of account security. Email verification:



    • proves the ownership of the address, just to know that the user has entered correct address for you to send spam password recovery emails.

    • serves as a very light deterrent for registering multiple fake accounts. It's pretty easy to automate the creation of email addresses (by using tempmail/hosting your own email server) and automatically click the validation links, so CAPTCHA would be a better system to protect against automated registration of fake accounts.

    I can't see any security-related reason why you should lock the unverified accounts in any way. I prefer the small banner on top of the screen reminding me to verify account and prompting to re-send the verification email. Treating user like a suspected criminal or nagging them right after they've registered just isn't polite, make them welcome.






    share|improve this answer





























      1














      I agree with Buffalo5ix, but email verification should not be considered a part of account security. Email verification:



      • proves the ownership of the address, just to know that the user has entered correct address for you to send spam password recovery emails.

      • serves as a very light deterrent for registering multiple fake accounts. It's pretty easy to automate the creation of email addresses (by using tempmail/hosting your own email server) and automatically click the validation links, so CAPTCHA would be a better system to protect against automated registration of fake accounts.

      I can't see any security-related reason why you should lock the unverified accounts in any way. I prefer the small banner on top of the screen reminding me to verify account and prompting to re-send the verification email. Treating user like a suspected criminal or nagging them right after they've registered just isn't polite, make them welcome.






      share|improve this answer



























        1












        1








        1







        I agree with Buffalo5ix, but email verification should not be considered a part of account security. Email verification:



        • proves the ownership of the address, just to know that the user has entered correct address for you to send spam password recovery emails.

        • serves as a very light deterrent for registering multiple fake accounts. It's pretty easy to automate the creation of email addresses (by using tempmail/hosting your own email server) and automatically click the validation links, so CAPTCHA would be a better system to protect against automated registration of fake accounts.

        I can't see any security-related reason why you should lock the unverified accounts in any way. I prefer the small banner on top of the screen reminding me to verify account and prompting to re-send the verification email. Treating user like a suspected criminal or nagging them right after they've registered just isn't polite, make them welcome.






        share|improve this answer















        I agree with Buffalo5ix, but email verification should not be considered a part of account security. Email verification:



        • proves the ownership of the address, just to know that the user has entered correct address for you to send spam password recovery emails.

        • serves as a very light deterrent for registering multiple fake accounts. It's pretty easy to automate the creation of email addresses (by using tempmail/hosting your own email server) and automatically click the validation links, so CAPTCHA would be a better system to protect against automated registration of fake accounts.

        I can't see any security-related reason why you should lock the unverified accounts in any way. I prefer the small banner on top of the screen reminding me to verify account and prompting to re-send the verification email. Treating user like a suspected criminal or nagging them right after they've registered just isn't polite, make them welcome.







        share|improve this answer














        share|improve this answer



        share|improve this answer








        edited 2 hours ago

























        answered 2 hours ago









        Andrew MorozkoAndrew Morozko

        1,4883 silver badges8 bronze badges




        1,4883 silver badges8 bronze badges



























            draft saved

            draft discarded
















































            Thanks for contributing an answer to Information Security Stack Exchange!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid


            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.

            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function ()
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f213715%2fthe-most-secure-way-to-handle-someone-forgetting-to-verify-their-account%23new-answer', 'question_page');

            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown







            -

            Popular posts from this blog

            Invision Community Contents History See also References External links Navigation menuProprietaryinvisioncommunity.comIPS Community ForumsIPS Community Forumsthis blog entry"License Changes, IP.Board 3.4, and the Future""Interview -- Matt Mecham of Ibforums""CEO Invision Power Board, Matt Mecham Is a Liar, Thief!"IPB License Explanation 1.3, 1.3.1, 2.0, and 2.1ArchivedSecurity Fixes, Updates And Enhancements For IPB 1.3.1Archived"New Demo Accounts - Invision Power Services"the original"New Default Skin"the original"Invision Power Board 3.0.0 and Applications Released"the original"Archived copy"the original"Perpetual licenses being done away with""Release Notes - Invision Power Services""Introducing: IPS Community Suite 4!"Invision Community Release Notes

            Image
            Internet forum softwarePHP software Internet communityPHPMySQLdatabase management systemInternet forumCharles WarnerMatt MechamJarvis Entertainment GroupIkonboardInvisionFreeAjaxIPS Community ForumsIPS Community Forumsthis blog entry Invision Community From Wikipedia, the free encyclopedia Jump to navigation Jump to search Invision Community Developer(s) Invision Power Services Stable release 4.4.6 / August 19, 2019 ; 34 days ago  ( 2019-08-19 ) Platform PHP / MySQL Type Forum software License Proprietary Website invisioncommunity.com Invision Community (previously known as IPS Community Suite ) is primarily an Internet community software produced by Invision Power Services, Inc. It is written in PHP and uses MySQL as a database management system. Invision Power Services sell applications that each can be bought and installed separately in addition to the Suite, the most widely known being the Internet forum software Invision Power Board. Invisi
            Read more

            Canceling a color specificationRandomly assigning color to Graphics3D objects?Default color for Filling in Mathematica 9Coloring specific elements of sets with a prime modified order in an array plotHow to pick a color differing significantly from the colors already in a given color list?Detection of the text colorColor numbers based on their valueCan color schemes for use with ColorData include opacity specification?My dynamic color schemes

            Image
            Would it be easier to colonise a living world or a dead world? Postal services in Italy - Poste Italiane vs. Friendpost vs. GPS What is /dev/null and why can't I use hx on it? Why are engines with carburetors hard to start in cold weather? How to make a gift without seeming creepy? Without exposing his identity, did Roy help his parents with money so that they can afford to stay in their home? Does the Creighton Method of Natural Family Planning have a failure rate of 3.2% or less? How do I break the broom in Untitled Goose Game? Had there been instances of national states banning harmful imports before the mid-19th C Opium Wars? D&D Monsters and Copyright Is sleeping on the groud in cold weather better than on an air mattress? Transiting through Switzerland by coach with lots of cash quadratic equations on 2 by 2 matrices Always Lubricate Skewers? I pay for a service, but I miss the broadcast Iron-age tools, is there a way to extract heavy metals
            Read more

            Ласкавець круглолистий Зміст Опис | Поширення | Галерея | Примітки | Посилання | Навігаційне меню58171138361-22960890446Bupleurum rotundifoliumEuro+Med PlantbasePlants of the World Online — Kew ScienceGermplasm Resources Information Network (GRIN)Ласкавецькн. VI : Літери Ком — Левиправивши або дописавши її

            Image
            ЛаскавецьФлора УкраїниФлора ЄвропиФлора АфрикиФлора АзіїРослини, описані 1753 ОкружковіОднорічнатрав'яниста рослинаАфриціЄвропіАзіїУкраїні Ласкавець круглолистий Матеріал з Вікіпедії — вільної енциклопедії. Перейти до навігації Перейти до пошуку ? Ласкавець круглолистий Біологічна класифікація Домен: Ядерні (Eukaryota) Царство: Зелені рослини (Viridiplantae) Відділ: Вищі рослини (Streptophyta) — Судинні (Tracheophyta) — Покритонасінні (Angiospermae) — Евдикоти (Eudicots) — Айстериди (Asterids) Порядок: Аралієцвіті (Apiales) Родина: Окружкові (Apiaceae) Підродина: Селерові (Apioideae) Триба: Bupleureae Рід: Ласкавець ( Bupleurum ) Вид: Ласкавець круглолистий Біноміальна назва Bupleurum rotundifolium L., 1753 Посилання Вікісховище: Bupleurum rotundifolium Віківиди: Bupleurum rotundifolium EOL: 581711 IPNI: 38361-2 ITIS: 29608 NCBI: 90446 Ласкавець круглолистий [1] [1] [2] ( Bupleurum rotundifolium ) — вид рослин родини Окружкові (Apiaceae)
            Read more