What's the best approach to confirm user email address: sending an email confirmation link or sending a verification code in email?

  • I see there are number of questions available there about approach for confirming email address with pretty good answers. I have a similar question I can think of two approaches for confirming email address:

    1. Sending confirmation link on the user provided email address, by clicking this link a new page will open showing user account confirmation message.

    2. Another approach is instead of providing confirmation link, provide user with the verification code in the email, let's say number 12345 is verification code, then user will read this number and enter it on the Confirmation page.

    It would be great if you could provide your views for the above-mentioned approach. I agree that option #2 seems to add a bit of overhead however my priority is for security.

    The mobile application integrates with my existing web application (I have developed APIs for it). The mobile application uses those APIs to get data from the web application. Now using the register API, the mobile app can register the user. For registration, the user's email address and password is required. I want to confirm the user's email address before giving him full access to the application. If user's email address is confirmed then he can use all options otherwise user is restricted to certain options. To confirm the email address, should I:

    1. Send the verification link to the user provided email address

    2. Send verification code in the email which user can enter on "verify account" page in mobile app

    3. Send deep link + verification code in the email so that when user click on deep link automatically mobile app will get launched with the verification page being open where user can type in (or copy+paste) the verification code

    I want to know which is one better approach from usability point view and security point of view (my preference is for security).

    I would include a concise explanation of the context in which you are doing the verification (mobile native application) so to clarify the question and get more feedback.

    @Okavango added the explanation for the mobile application for which I am looking to implement verify email address functionality

    Have you explored social media login? This might allow you to authenticate users and verify emails.

    My mobile app allows login with fb and g+ also we allow user to sign up with email id and this is where I want to confirm email address. I guess we don't have to validate email address if user sign up with social media login

    looks like more of a security question rather than ux

    Rahul, I have asked the question on the information security site and feedback could be found here

    Its a balancing act so try to incorporate both security and UX requirements in a compromise solution.

    As of writing this, sending a link to user's email is unsafe (can result to impersonation), especially if your users are likely to use either Gmail for email or Chrome for the browser (Chrome, Chromium, Microsft Edge, Brave Browser, DuckDuckGo Browser are all using chrome engine). Prefer to send a code to the user email instead, and if you must send a link, make sure you have a dedicated page to handle confirmation page that requires user action (like a click) or requires JavaScript to run and send the code to your server. Read more: https://stackoverflow.com/a/63427303/3563013

    Make sure to piss off users who use a text-only MUA: send a link, and make this link *very* wide, 200 characters or more should work, so they can't easily copy/paste the link into a browser (after having dug it out of an HTML mess; make sure to either send HTML only or put the link only in the HMTL part of the multipart/alternative).

  • Okavango

    Okavango Correct answer

    7 years ago

    This will largely depend on what the verification entails in terms of user access.

    Option 1

    I would say that (option 2) sending a verification code is more secure as users will have to input their verification code before the verification is complete, particularly if this is part of login ( 2 step verification).

    Option 2

    This being said if the verification happens once users have logged in ( Option 1 ) sending a link would be more viable as user is already logged in.

    In both cases ensure that the link or verification code have a defined validity time and that the user is made aware of it. Also account for users not being able to view email, by advising them to check their spam folder and/or whitelist sender.

    Update: Given the flurry of comments around this answer, I have made a an update that should hopefully clarify some of the misunderstandings and assumptions.

    Clicking on a link to verify email is definitely more user-friendly than typing a code which is the point I have tried to make in my answer (option 2). Both these can be combined to optimise as suggested by some of the answers and comments below. However from a UX perspective, this is not a blanket rule there are other factors and aspects that need to be taken into consideration.

    If the verification happens as part of an authentication process, for example password reset or recovery, then a combined link and code will work. This being said, you need to consider carefully the type and scope of user information held within the system.

    Sites that request sensitive or Personally Identifiable Information should be, and feel, secure. If a site doesn't feel secure, the user will be dis-incentivized to use the site. The user will be more likely to distrust the site, which will build barriers between the user and requests to provide PII or to provide access to sensitive information .

    There is a great deal of expectations from both clients and direct users when it comes to authentication; some systems are perceived as more secure just by virtue of visual design and their overall workflow. You need to make sure that your authentication process is not only secure but also perceived as such by users and stakeholders. So better understanding of how your end users perceive security and which interaction patterns and workflows they are most familiar with is key. This is particularly true for corporate and enterprise solutions that generally hold much more information than retail websites for example.

    Overall I would say that based on assessing the factors above, if asking users for a code will boost or maintain user confidence in your site or app while fulfilling the task than by all means go for it. The argument also applies to using a link with code if it does not jeopardize user confidence.

    I have also found that

    Understanding user perceptions of transparent authentication on a mobile device

    very insightful! Good luck!

    *"sending a verification code is more secure"*, you assert, but you offer no justification for this claim. It seems clearly false to me. Either approach - link or code - simply validates that the user controls the email address by sending them a secret and having them send it back to the web server. They are as vulnerable as each other to brute force, or to an attacker who has illicit access to the user's emails. They can both be performed by a bot. So what possible security difference is there?

    @Mark Amery, the issue of brute force attacks was not raised by the question!! The question focuses mainly on email confirmation...as for a code vs link argument... If we are indeed dealing with login ...the code is still more secure because it requires further action from user before granting access. There are of course other means of addressing brut force attacks such as temporary lockouts but that's not the focus of the question.

    @Okavango *"the code is still more secure because it requires further action from user before granting access."* Again, you're just making assertions without even trying to justify them. Just because you require an additional arbitrary action from the user does not mean your system is more secure. It is absurd to suggest that baking a secret key into a link the user clicks is somehow less secure than having the user type the same secret out by hand. I mention eavesdropping and brute force merely as examples of potential attacks that *both* these approaches are be *equally* vulerable to.

    @Okavango the burden here is on you to explain *why* requiring the user to perform an act with a clumsy UI (sending the secret to the server, by typing it) is magically more secure than them performing effectively the same action with an easier UI (by baking the secret into a link). *What attack could conceivably work against the secret-in-a-link system but not against the type-the-secret-by-hand system?* If there is truly a security difference, you will be able to describe such an attack. But you won't be able to, because there is no difference.

    @Mark Amery, again I don't think system security is the focus of the question but email confirmation. For clarity, If you are attempting to authenticate the user the code is a more valid approach than a link as I have suggested in my answer, I would elaborate further if the question was about authentication which it is not!

    *"I don't think system security is the focus of the question"* - then why have you written an answer that revolves around security? Security is your *entire reason* for advocating that the user types in a code instead of clicking a link.

    I'm sorry, but this answer is wrong from both the security perspective and the UX perspective. @MarkAmery here nailed it. I don't have the reputation to downvote, but be sure I would have had I could.

    @Madara Uchiha, how is it wrong from a UX perspective? Is not asking for a code once user logged Bad UX?

    Inputting a code is in no way "better" than clicking on a link. You're missing the purpose. Inputting a code should be used only as fallback to the more comfortable "click on a link".

    @Madara Uchiha, Agreed! That was the second option suggested in the answer!!

    TLDR;? Why not highlight the answer???? "if asking users for a code will boost or maintain user confidence in your site or app while fulfilling the task than by all means go for it"

    Returning to technical content: you've tried to fudge this by swapping halfway through your answer from talking about *actual* security to talking about *user perception* of security, just as fear-mongering politicians like to equivocate between *actual* crime and *fear of crime* when hard facts aren't on their side. But the beginning of your post still makes a concrete security claim that is nothing to do with user perception. And that claim is still 100% wrong and can't be fixed by adding in a tangent about user perception.

License under CC-BY-SA with attribution

Content dated before 7/24/2021 11:53 AM