My organization has a form to allow users to update their email address with us. It's suggested that we have two input boxes for email: the second as an email confirmation.

I always copy/paste my email address when faced with the confirmation. I'm assuming most of our users are not so savvy.

Regardless, is this considered a good practice? I can't stand it personally, but I also realize it probably isn't meant for me. If someone screws up their email, they can't login, and they must call to sort things out.

+2  A: 

I agree with you in that it is quite an annoyance to me (I also copy and paste my address into the second input).

That being said, for less savvy users, it is probably a good idea. Watching my mother type is affirmation that many users do not look at the screen when they type (when she's using her laptop she resembles Linus from Peanuts when he's playing the piano). If it's important for you to have the user's correct email address then I would say having a confirmation input is a very good idea (one of these days I'll probably type my email address wrong in the first box and paste it wrong into the second box and then feel like a complete idiot).

Justin Bennett
+1 for the Linus Reference
Michael Stum
Except, of course, that it's Schroeder who plays the piano, not Linus.
Dave Sherohman
+9  A: 

I would just use one input box. The "Confirm" input is a remnant form the "Confirm Password" method.

With passwords, this is useful because they are usually typed as little circles. So, you can't just look at it to make sure that you typed it correctly.

With a regular text box, you can visually check your input. So, there is no need for a confirmation input box.

+3  A: 

I agree with Justin, while most technical folks will use the copy, paste method, for the less savvy users it is a good practice.

One more thing that I would add is that the second field should have the auto-complete feature disabled. This ensures that there is human input from either method on at least one of the fields.

+1  A: 

I'd say that this is ok but should only be reserved for forms where the email is essential. If you mistype your email for your flight booking then you have severed the two-way link between yourself and the other party and risk not getting the confirmation number, here on StackOverflow it would only mean your Gravatar would not be loaded ...

I'd consider myself fairly techie but I always fill in both fields /wo cut-paste if I regard it to be important enough.

+2  A: 

As long as a field is viewable, you do not need a confirm box. As long as you do some form validation to be sure that it is at least in valid format for an email address let the user manage the rest of the issues.

Adam Lerman
+8  A: 

I've seen plenty of people type their email address wrong and I've also looked through user databases full of invalid email address.

The way I see it you've got two options. Use a second box to confirm the input, or send an authentication/activation email.

Both are annoyances so you get to choose which you think will annoy your users less.

Most would argue that having to find an email and click on a link is more annoying, but it avoids the copy/paste a bad address issue, and it allows you to do things like delete or roll back users if they don't activate after say 48 hours.

But you need the authentication email whether you do the double entry or not, unless you're willing to accept correctly-entered addresses that don't exist/aren't deliverable.
Dave Sherohman

just came upon this while researching autocomplete "confirm email". Funny, I've always thought the confirm was for making sure there was as palehorse wrote "human input". Never ever considered it would be to make sure it wasn't entered wrong the first time. btw, it's Schroeder, not Linus, who plays the piano.....

+2  A: 

While the more tech-savvy people tend to copy and paste, not technical people find it just as annoying to have to type something twice. During a lot of user testing I've down, the less tech-savvy - the more annoyed they seem with something like this... They struggle to type as it is, when they see they have to type their email in again it's usually greeted with a strong sign.

I would suggested a few things.

  1. Next to the input box write the style of the information you are looking for so something like (i.e. [email protected]). The reason this is important is you would be surprised how many of the less tech-savvy don't really understand the different between a website and an email address, so let them know visually the format you want.

  2. Run strong formatting test in real time, and visually show a user that the format is good or bad. A green check box if everything is okay comes to mind.

  3. Lastly, depending on your system architecture I often use a library to actually wrong a domain in the background. I don't necessarily try to run a VRFY on the server - I often use a library to check to make sure the domain they entered has MX records in it's DNS record.

Tim K.
If you're going to check the format, please be sure you do it *correctly*. Many simple email address format checks will, for example, reject a + in the username, causing them to block a large set of valid, deliverable email addresses. (Or validate by sending mail. It's the only real way to be sure.)
Dave Sherohman
And with IDN you have to convert the user input to punycode.
+2  A: 

Typing things twice is frustrating and doesn't prevent copy&paste errors or even some typos.

I would use an authenticate/activate schema with a roll back to the old address if the activation is not met within 48 hours or if the email bounces.

Chris Nava
+1  A: 

I tend to have it send a verification code to the email address specified (and only ask for it once), and not change the email address until the user has entered the code I sent them.

This has the advantage that if they try to set it to a dozen different addresses in quick succession, you'll know which ones work by which verification code they put in.

Plus, if I am presented with a "confirm email address" box, I just copy and paste from the previous one, and if I'm guilty of that, I'm sure that other less careful users will do the same.