Mfcttrf

In this iconic lunar orbit rendezvous photo of John Houbolt, why do arrows #5 and #6 point the "wrong" way?

Strategy to pay off revolving debt while building reserve savings fund?

Why a binary file is not shown as 0 and 1?

How to find location on Cambridge-Mildenhall railway that still has tracks/rails?

Why did Fury respond that way?

Operation Unzalgo

How can I help our ranger feel special about her beast companion?

Locked-up DOS computer beeped on keypress. What mechanism caused that?

Term “console” in game consoles

Is there a difference between PIO and GPIO pins?

Is it ethical for a company to ask its employees to move furniture on a weekend?

Is it possible to have two words with the same particle in a sentence?

"Je suis petite, moi?", purpose of the "moi"?

Drawing a circle with nodes shift with Tikz

Why do space operations use "nominal" to mean "working correctly"?

Demographic consequences of closed loop reincarnation

How did Jayne know when to shoot?

How to interpret a promising preprint that was never published?

When designing an adventure, how can I ensure a continuous player experience in a setting that's likely to favor TPKs?

What is the period of Langton's ant on a torus?

Random piece of plastic

Practical example in using (homotopy) type theory

What would be the safest way to drop thousands of small, hard objects from a typical, high wing, GA airplane?

How to tell the object type of an Attachment

The most secure way to handle someone forgetting to verify their account?

Login form authentication logicIs this a good way to handle login processShould email verification be followed by password-based login? Why?Whats the most secure way to send user data from client to server?Copying the email address to a forgotten password pageIs it posible to validate a new user account/reset password without sending an email or phone number?How do i verify a banks contact number is correct?System to verify personal information without revealingDifferent email address in the email and the cancellation link in “Security alert for your linked Google Account”Why would someone open a Netflix account using my Gmail address?

.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;

2

Suppose we send out email verification to new subscribers that where they have to click on a link to verify their account.

Suppose they forget to verify it, and later try to login.

Should the error message say "Your user name or password is incorrect?", instead of letting them know that they have forgotten to verify the account.

I assume this is the most secure way of handling it, because if we tell them that they have to verify the account, we are letting them know that an account with that userid exists ...

Thoughts?

Perhaps the best way to handle it is to allow them to access the account, but don't let them do anything in it until they are verified?

authentication password-cracking account-security oauth credentials

share|improve this question

asked 8 hours ago

OleOle

14466 bronze badges

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  You have their email. You could email them again.
  
  – Nic Hartley
  8 hours ago
  

  
  
  
  

add a comment | 

2

Suppose we send out email verification to new subscribers that where they have to click on a link to verify their account.

Suppose they forget to verify it, and later try to login.

Should the error message say "Your user name or password is incorrect?", instead of letting them know that they have forgotten to verify the account.

I assume this is the most secure way of handling it, because if we tell them that they have to verify the account, we are letting them know that an account with that userid exists ...

Thoughts?

Perhaps the best way to handle it is to allow them to access the account, but don't let them do anything in it until they are verified?

authentication password-cracking account-security oauth credentials

share|improve this question

asked 8 hours ago

OleOle

14466 bronze badges

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  You have their email. You could email them again.
  
  – Nic Hartley
  8 hours ago
  

  
  
  
  

add a comment | 

Suppose we send out email verification to new subscribers that where they have to click on a link to verify their account.

Suppose they forget to verify it, and later try to login.

Should the error message say "Your user name or password is incorrect?", instead of letting them know that they have forgotten to verify the account.

I assume this is the most secure way of handling it, because if we tell them that they have to verify the account, we are letting them know that an account with that userid exists ...

Thoughts?

Perhaps the best way to handle it is to allow them to access the account, but don't let them do anything in it until they are verified?

authentication password-cracking account-security oauth credentials

share|improve this question

asked 8 hours ago

OleOle

14466 bronze badges

share|improve this question

asked 8 hours ago

OleOle

14466 bronze badges

share|improve this question

asked 8 hours ago

OleOle

14466 bronze badges

asked 8 hours ago

OleOle

14466 bronze badges

asked 8 hours ago

OleOle

14466 bronze badges

2 Answers
2

active

oldest

votes

5

What I see most commonly is allowing the authentication and signing the user in, but locking meaningful features away until the email is verified. You should bubble up an error reminding the user to re-send an activation email if they try to access one of the restricted features.

It is poor design to ever lie to a user - if they submit the correct username and password, you should never show an error claiming that either is incorrect.

share|improve this answer

answered 8 hours ago

Buffalo5ixBuffalo5ix

1,48155 silver badges1515 bronze badges

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  I would put a full page nagging screen telling him to activate the account first and a button to confirm and re-send the activation email.
  
  – ThoriumBR
  8 hours ago
  

  
  
  
  

add a comment | 

1

I agree with Buffalo5ix, but email verification should not be considered a part of account security. Email verification:

• proves the ownership of the address, just to know that the user has entered correct address for you to send spam password recovery emails.


• serves as a very light deterrent for registering multiple fake accounts. It's pretty easy to automate the creation of email addresses (by using tempmail/hosting your own email server) and automatically click the validation links, so CAPTCHA would be a better system to protect against automated registration of fake accounts.

I can't see any security-related reason why you should lock the unverified accounts in any way. I prefer the small banner on top of the screen reminding me to verify account and prompting to re-send the verification email. Treating user like a suspected criminal or nagging them right after they've registered just isn't polite, make them welcome.

share|improve this answer

edited 2 hours ago

answered 2 hours ago

Andrew MorozkoAndrew Morozko

1,48833 silver badges88 bronze badges

add a comment | 

Your Answer

StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "162"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name

Email

Required, but never shown

StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f213715%2fthe-most-secure-way-to-handle-someone-forgetting-to-verify-their-account%23new-answer', 'question_page');

);

Post as a guest

Name

Email

Required, but never shown

5

What I see most commonly is allowing the authentication and signing the user in, but locking meaningful features away until the email is verified. You should bubble up an error reminding the user to re-send an activation email if they try to access one of the restricted features.

It is poor design to ever lie to a user - if they submit the correct username and password, you should never show an error claiming that either is incorrect.

share|improve this answer

answered 8 hours ago

Buffalo5ixBuffalo5ix

1,48155 silver badges1515 bronze badges

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  I would put a full page nagging screen telling him to activate the account first and a button to confirm and re-send the activation email.
  
  – ThoriumBR
  8 hours ago
  

  
  
  
  

add a comment | 

5

What I see most commonly is allowing the authentication and signing the user in, but locking meaningful features away until the email is verified. You should bubble up an error reminding the user to re-send an activation email if they try to access one of the restricted features.

It is poor design to ever lie to a user - if they submit the correct username and password, you should never show an error claiming that either is incorrect.

share|improve this answer

answered 8 hours ago

Buffalo5ixBuffalo5ix

1,48155 silver badges1515 bronze badges

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  I would put a full page nagging screen telling him to activate the account first and a button to confirm and re-send the activation email.
  
  – ThoriumBR
  8 hours ago
  

  
  
  
  

add a comment | 

What I see most commonly is allowing the authentication and signing the user in, but locking meaningful features away until the email is verified. You should bubble up an error reminding the user to re-send an activation email if they try to access one of the restricted features.

It is poor design to ever lie to a user - if they submit the correct username and password, you should never show an error claiming that either is incorrect.

share|improve this answer

answered 8 hours ago

Buffalo5ixBuffalo5ix

1,48155 silver badges1515 bronze badges

share|improve this answer

answered 8 hours ago

Buffalo5ixBuffalo5ix

1,48155 silver badges1515 bronze badges

answered 8 hours ago

Buffalo5ixBuffalo5ix

1,48155 silver badges1515 bronze badges

answered 8 hours ago

Buffalo5ixBuffalo5ix

1,48155 silver badges1515 bronze badges

1

I agree with Buffalo5ix, but email verification should not be considered a part of account security. Email verification:

• proves the ownership of the address, just to know that the user has entered correct address for you to send spam password recovery emails.


• serves as a very light deterrent for registering multiple fake accounts. It's pretty easy to automate the creation of email addresses (by using tempmail/hosting your own email server) and automatically click the validation links, so CAPTCHA would be a better system to protect against automated registration of fake accounts.

I can't see any security-related reason why you should lock the unverified accounts in any way. I prefer the small banner on top of the screen reminding me to verify account and prompting to re-send the verification email. Treating user like a suspected criminal or nagging them right after they've registered just isn't polite, make them welcome.

share|improve this answer

edited 2 hours ago

answered 2 hours ago

Andrew MorozkoAndrew Morozko

1,48833 silver badges88 bronze badges

add a comment | 

1

I agree with Buffalo5ix, but email verification should not be considered a part of account security. Email verification:

• proves the ownership of the address, just to know that the user has entered correct address for you to send spam password recovery emails.


• serves as a very light deterrent for registering multiple fake accounts. It's pretty easy to automate the creation of email addresses (by using tempmail/hosting your own email server) and automatically click the validation links, so CAPTCHA would be a better system to protect against automated registration of fake accounts.

I can't see any security-related reason why you should lock the unverified accounts in any way. I prefer the small banner on top of the screen reminding me to verify account and prompting to re-send the verification email. Treating user like a suspected criminal or nagging them right after they've registered just isn't polite, make them welcome.

share|improve this answer

edited 2 hours ago

answered 2 hours ago

Andrew MorozkoAndrew Morozko

1,48833 silver badges88 bronze badges

add a comment | 

I agree with Buffalo5ix, but email verification should not be considered a part of account security. Email verification:

• proves the ownership of the address, just to know that the user has entered correct address for you to send spam password recovery emails.


• serves as a very light deterrent for registering multiple fake accounts. It's pretty easy to automate the creation of email addresses (by using tempmail/hosting your own email server) and automatically click the validation links, so CAPTCHA would be a better system to protect against automated registration of fake accounts.

I can't see any security-related reason why you should lock the unverified accounts in any way. I prefer the small banner on top of the screen reminding me to verify account and prompting to re-send the verification email. Treating user like a suspected criminal or nagging them right after they've registered just isn't polite, make them welcome.

share|improve this answer

edited 2 hours ago

answered 2 hours ago

Andrew MorozkoAndrew Morozko

1,48833 silver badges88 bronze badges

share|improve this answer

edited 2 hours ago

answered 2 hours ago

Andrew MorozkoAndrew Morozko

1,48833 silver badges88 bronze badges

answered 2 hours ago

Andrew MorozkoAndrew Morozko

1,48833 silver badges88 bronze badges

answered 2 hours ago

Andrew MorozkoAndrew Morozko

1,48833 silver badges88 bronze badges