Ask the Expert

Should a new user have to confirm an email address to gain access?

Prior to granting a new user access to a privileged system, like an e-commerce application, is it a good idea to have the user confirm his or her email address by clicking on a link on an "authenticate new user" email? Does this deter someone from attacking the site by writing a program to create a million users?

    Requires Free Membership to View

The purpose of confirmation emails is to prevent fraud and block attempts to create a million users for spamming the site. It isn't to authenticate users to the site or to verify their identities.

Despite this limitation, confirmation emails are useful as one security control for an e-commerce website, but they shouldn't be relied on as the sole control for preventing registration by malicious users.

An example of fraud would be a malicious user trying to gain access to an e-commerce site as someone else, say, using someone else's email address. They might do this to gain access to a bank account that already exists, but isn't yet registered for online account access.

A confirming email would then be sent to the legitimate user's email address. If the real account holder had actually registered, he or she would expect such an email. If the email was unexpected, the account holder can call the bank, which can investigate and freeze the account, if necessary, to prevent malicious use or access.

Confirming emails that require the user to click on a link, or return to the site to verify their access, can also block spam bots that try to automatically register to sites. Spammers can hit a site with hundreds or thousands of possible account names to find a legitimate account to steal. Confirming emails block these types of attacks by requiring a response to each individual email, something an automated script can't do.

Another thing to consider when using confirming emails involves session-replay attacks. Make sure the link in the email contains a unique identifier that can only be used once. After the user clicks on the link and confirms their registration, the link should expire. Otherwise, a malicious user could cut and paste the URL to try and access the account. Session expiration should be part of e-commerce registration software.

Again, it should be emphasized that confirmation emails are only one type of fraud and spam control, and not a form of authentication.

More information:

This was first published in September 2008

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: