Problem solve Get help with specific problems with your technologies, process and projects.

Should a new user have to confirm an email address to gain access?

'Authenticate new user' emails can be helpful tools in preventing spammers from creating a million users that will flood a site. Identity and access management expert Joel Dubin gives advice.

Prior to granting a new user access to a privileged system, like an e-commerce application, is it a good idea to have the user confirm his or her email address by clicking on a link on an "authenticate new user" email? Does this deter someone from attacking the site by writing a program to create a million users?
The purpose of confirmation emails is to prevent fraud and block attempts to create a million users for spamming the site. It isn't to authenticate users to the site or to verify their identities.

Despite this limitation, confirmation emails are useful as one security control for an e-commerce website, but...

they shouldn't be relied on as the sole control for preventing registration by malicious users.

An example of fraud would be a malicious user trying to gain access to an e-commerce site as someone else, say, using someone else's email address. They might do this to gain access to a bank account that already exists, but isn't yet registered for online account access.

A confirming email would then be sent to the legitimate user's email address. If the real account holder had actually registered, he or she would expect such an email. If the email was unexpected, the account holder can call the bank, which can investigate and freeze the account, if necessary, to prevent malicious use or access.

Confirming emails that require the user to click on a link, or return to the site to verify their access, can also block spam bots that try to automatically register to sites. Spammers can hit a site with hundreds or thousands of possible account names to find a legitimate account to steal. Confirming emails block these types of attacks by requiring a response to each individual email, something an automated script can't do.

Another thing to consider when using confirming emails involves session-replay attacks. Make sure the link in the email contains a unique identifier that can only be used once. After the user clicks on the link and confirms their registration, the link should expire. Otherwise, a malicious user could cut and paste the URL to try and access the account. Session expiration should be part of e-commerce registration software.

Again, it should be emphasized that confirmation emails are only one type of fraud and spam control, and not a form of authentication.

More information:

This was last published in September 2008

Dig Deeper on Web authentication and access control