Saturday, January 12, 2019

What's the best approach to confirm user email address: sending an email confirmation link or sending a verification code in email?


I see there are number of questions available there about approach for confirming email address with pretty good answers. I have a similar question I can think of two approaches for confirming email address:





  1. Sending confirmation link on the user provided email address, by clicking this link a new page will open showing user account confirmation message.




  2. Another approach is instead of providing confirmation link, provide user with the verification code in the email, let's say number 12345 is verification code, then user will read this number and enter it on the Confirmation page.




It would be great if you could provide your views for the above-mentioned approach. I agree that option #2 seems to add a bit of overhead however my priority is for security.


The mobile application integrates with my existing web application (I have developed APIs for it). The mobile application uses those APIs to get data from the web application. Now using the register API, the mobile app can register the user. For registration, the user's email address and password is required. I want to confirm the user's email address before giving him full access to the application. If user's email address is confirmed then he can use all options otherwise user is restricted to certain options. To confirm the email address, should I:





  1. Send the verification link to the user provided email address




  2. Send verification code in the email which user can enter on "verify account" page in mobile app




  3. Send deep link + verification code in the email so that when user click on deep link automatically mobile app will get launched with the verification page being open where user can type in (or copy+paste) the verification code





I want to know which is one better approach from usability point view and security point of view (my preference is for security).



Answer



This will largely depend on what the verification entails in terms of user access.


Option 1


I would say that (option 2) sending a verification code is more secure as users will have to input their verification code before the verification is complete, particularly if this is part of login ( 2 step verification).


Option 2


This being said if the verification happens once users have logged in ( Option 1 ) sending a link would be more viable as user is already logged in.


In both cases ensure that the link or verification code have a defined validity time and that the user is made aware of it. Also account for users not being able to view email, by advising them to check their spam folder and/or whitelist sender.


Update: Given the flurry of comments around this answer, I have made a an update that should hopefully clarify some of the misunderstandings and assumptions.



Clicking on a link to verify email is definitely more user-friendly than typing a code which is the point I have tried to make in my answer (option 2). Both these can be combined to optimise as suggested by some of the answers and comments below. However from a UX perspective, this is not a blanket rule there are other factors and aspects that need to be taken into consideration.


If the verification happens as part of an authentication process, for example password reset or recovery, then a combined link and code will work. This being said, you need to consider carefully the type and scope of user information held within the system.



Sites that request sensitive or Personally Identifiable Information should be, and feel, secure. If a site doesn't feel secure, the user will be dis-incentivized to use the site. The user will be more likely to distrust the site, which will build barriers between the user and requests to provide PII or to provide access to sensitive information .



There is a great deal of expectations from both clients and direct users when it comes to authentication; some systems are perceived as more secure just by virtue of visual design and their overall workflow. You need to make sure that your authentication process is not only secure but also perceived as such by users and stakeholders. So better understanding of how your end users perceive security and which interaction patterns and workflows they are most familiar with is key. This is particularly true for corporate and enterprise solutions that generally hold much more information than retail websites for example.


Overall I would say that based on assessing the factors above, if asking users for a code will boost or maintain user confidence in your site or app while fulfilling the task than by all means go for it. The argument also applies to using a link with code if it does not jeopardize user confidence.


I have also found that



Understanding user perceptions of transparent authentication on a mobile device




very insightful! Good luck!


No comments:

Post a Comment

technique - How credible is wikipedia?

I understand that this question relates more to wikipedia than it does writing but... If I was going to use wikipedia for a source for a res...