Do we really need email confirmation?

Question

I've gotten into a habit of using the standard register->send activation email->activate account process for every site that supports user authentication and free registration without questioning if I really need this.

What are your thoughts on this? If I have captcha on the registration form is the email confirmation process really necessary?

EDIT:

OK, so the general consensus seems to be that by getting the users to confirm the email they entered I'll keep them away from putting someone else's email in there. What about when I let users edit their profile/settings and they enter another email? If I need to keep them away from entering other people's addresses then I'd need to confirm that email address (by temporarily deactivating their accoun)t every time they change it.

Answer 1

I find it both unnecessary and annoying. If I can, I avoid doing this.

However, I do do this if 1) email will be sent by the program, so I can test if the email address is valid, or 2) this is a very large, public-facing website, in which case I want to filter out as many potential problems as possible.

Answer 2

Captcha+activation prevents bots AND spoofed people

Well basically it is since each part prevents one problematic scenario:

• Captcha prevents (if you use strong captcha like reCaptcha) bots from registering new users
• Email activation prevents people from registering other people (by their email address)

I guess this is a valid everyday pattern for registration that's widely acknowledged by IT community.

EDIT
Yes. When you want to prevent users from changing their email address, you'd have to repeat email activation procedure to make it robust.
But you don't have to deactivate their account while doing it. All you have to do is having a pending email-change email activation active. If it gets activated, you change email address at that point (not when they change it), otherwise the old one is still used.

Answer 3

It's the lowest-level attempt at identity validation. It encourages users to re-use the same account when they return (by having a common, shared identifier you and they can use to reconnect), and it prevents impersonation, because it requires access to the claimed identity as proof.

It's not perfect, but something by definition works infinitely better than nothing.

If identity doesn't matter on your site (e.g. your service is throwaway after each use) then you don't need email activation. Otherwise, you probably want it.

Answer 4

I find it useful when an email is sent for confirmation. This makes sure that I am the one who has registered with that email address.

Even with captcha you can register someone else email address although he may or may not approve that confirmation.

Answer 5

You should give serious consideration to supporting OpenID. http://openid.net/get-an-openid/what-is-openid/

The key benefit for OpenID is that it reduces the complexity for your user. There is no reason to force people to remember login credentials for hundreds of sites when a viable alternative exists. There is no worldwide netizen database - and there likely never will be - but OpenID simplifies the situation greatly.

I know that as a user I found the registration process for Stack Overflow to be painless and easy. I wish more sites used OpenID.

Answer 6

For most basic sites, I don't bother with either. Both email activation and captcha are relatively easy for dedicated spammers to bypass and overcome and do little but cause an annoyance to most of the users, driving away at least a certain percentage who might have otherwise signed up. I've found in my experience, focusing more on spam filters for member posted content has a better ROI overall.

For sites with more serious content, you'll typically have more serious users. In cases like that, I'll throw everything I've reasonably got available at it to counter the spam.

Answer 7

If you don't confirm an e-mail, you're supposing that the user registering that service owns that email account. How can you start sending a lot of system e-mails, reset passwords and etc to a person that has nothing to do with your system? I would be really pissed of if it was my e-mail.

Another scenario: what if the register mispelled his e-mail when registering? Suppose he doesn't check his "account settins" in your application, doesn't change his email, and needs to reset his password. If the e-mail is registered in a wrong way, it's your fault for not checking it before.

Of course, I'm just saying this to services that would REALLY demand an account to be created. Avoid the login barrier when possible, or use openid when your service isn't so critical.

Answer 8

On my site, I let users sign-up and do everything non-public until they confirm their email address. Because I run a gaming website, it means users can earn medals, post scores, just not post in the forum or post comments in the blog until they verify their email address.

I find it works pretty well. I have 16,000 registered users.

Answer 9

You only seem to need e-mail confirmation to confirm identity, not to send useful content by e-mail. But e-mail confirmation is only one means to an end. You may consider others, preferablly less intrusive ones.

Generally you can check something that

• you are (e.g. fingerprint, iris scan)
• you have (e.g. token, creditcard, key, access to an e-mail account)
• you know (e.g. PIN, password, your mom's weight, name of your favorite deceased pet, the optimistic length of your most private bodyparts measured in inches)

Also, you can delegate the check to others; the creditcard company, phone company, someone's friends.

Example: GoogleMail could not ask for a confirmation e-mail address upon creation of your GMail account. Instead, the early adopters had a limited supply of "invites" to share with friends.

So - unless you actually need me to receive information you'd e-mail, which I generally hate anyway - you might be inclined to resort to more creative/fun means.