Most popular applications nowadays require account activation by email. I’ve never done it with apps that I’ve developed so am I missing some crucial security feature?
By email activation I mean when you register to a site they send you an email that contains a link that you have to click before your account gets activated.
5
Activation confirms the email is yours. It’s not so much about being bogus or non-existent, as it is about being yours and they need it for an alternative/plan-b way of authentication, in first place.
3
Most web services want to be able to contact users, and use email for that. In particular, the user forgets their password, the fact that they can read an email at the address the service has on file authenticates them as the legitimate user, who is allowed to reset the password. Email can also be a way to inform you of important updates (a.k.a. spam you).
In order for the service to validate the email, it must ensure that the user who is creating the account does have access to that email. This is both to protect the user against a typo in the email address, and to protect the site’s ability to spam.
You don’t have to require an email to subscribe to your service. However, when users forget their credentials, they’ll be unhappy. Email password resets are the norm.
If the user chooses a disposable email address, it’s a deliberate choice from them not to have exclusive control over the account. Some sites that want to spam try to reject such addresses, although it is of course futile (big sites like Gmail also let you create disposable addresses, after all).
Confirmed Opt-In could also be done to comply with anti-spam laws for another reason to send a link in the e-mail.
1
Yes you are. By verification of the email address you are making sure that the account holder owns that address.
Later if someone else tries to sign up with the same address this won’t be possible as you’ve already verified that the correct owner already has the account.
Basically it ensures people who are who they say they are. If you had a social networking site where people could add contacts by email address, this will limit what a fraudulent user could do by using the address of another person.
3
A few frequently used reasons are:
- Making sure the email address is valid.
- Making sure the user owns the email address.
- Making sure the user WANTS to subscribe.
- Making sure that future communication can process properly.
- Giving the user a confirmation that he subscribed and a digital trail.
3
I think it depends on the possibilities that you give to your user. Can he or she send messages to other users and spam them with adverts? Can he or she post on your site and post viagra ads everywhere? Can he or she upload a lot of files and fill your precious server space. If anything of the above or something else that could be used for spamming or trashing up your server is existent, you want it to make as hard as possible for a spammers to sign up to your site. And so e-mail authentication is one another step that makes it hard for spammers to pretend to be a human.
To achieve this you should use email authentication with a form that makes it also hard for machines to be filled out with using a captcha or other techniques and you also should block trash mail services.