I want my users to re-verify their email after some time to be sure that the user still has his company email. I see the verify email function, but this is only a one-time thing. Once verified it never has to be done again.
Any hint would help.
My current idea is to set all users as email unverified via API, but a better option would be an built-in feature for this.
Related
My company have a website on which, at some point, users are asked to register.
Until a few weeks ago, we used to verify the mail adress by sending an email.
The user had to log into their mail account and click on a link in order to validate their account.
Problem is, we had many users having difficulties (email not received...) or simply leaving the website at this step. Moreover, our support team had to deal with many call about those difficulties.
We decided to remove this verification and it had many positive effects, the first being less ticket for our support team.
However from this point, we had many "fake" emails and I would like to know, what can I do to limit those fake emails without the verification described above? Is there any non-intrusive methods to verify an email adress ?
An exemple of (probably) fake email is hyuiuyhajsdv#gmail.com
Here are what we're already doing to prevent fake emails :
We're using PHP filter_var to validate the format
I know it's not perfect but we didn't found anything better
We're doing a DNS verification of the domain name (with gethostbyname)
This prevents something like superemail#test1245.com
Finally, we're checking if the domains name match a disposable email service.
Note: we don't have any problem with bots creating fake accounts, so a captcha won't help.
I'm new to quickblox MBaas and I would like to send out an email (to verify e-mail address) to a specific user when he signed up. Is there a standard procedure for this or a way to do this in Quickblox. Many thanks for your help.
There is no a way to do this for API users right now.
The cause of this solution is that it's quite hard sometimes for mobile users to verify an email. Just imagine a situation where user doesn't have a ready for use mail client on his device - then there is no a way to verify an email in this situation.
Other cause is that email verification can complicate your onboarding process.
It's possible to send a greetings email. You can setup it in Admin panel, Users module, Settings tab
my question is about the workflow of a web registration.
1) register with email + basic data
2) activate the account with a special secret link <- is this necessary?
3) allow the user to log in to the system
EDIT: I want to make the process as simple as possible without a password to choose/remember.
In more detail:
After a user is registering on a web site I sent out a confirmation with a generated password to login on the site and proceed.
Many sites sent an activation link first and then allow logging in to the system.
Is there any reason to do this additional step when I generate the password and sent it out to the user?
Thanks for your answers.
Is there any reason to do this additional step when I generate the password and sent it out to the user?
To ensure that the provided email address exists, and belongs to the person who registered the account.
I've noticed an increasing number of websites which skip this step. It seems to be a trend.
The purpose of the activation link is to guarentee that the email address provided by the user is one to which they have access. If you are generating a password and sending it via email to the user's email address, then the link is not required (because them logging in means that they read your email).
However, email is generally not a secure way to distribute information over the internet. You are sending them the password in plaintext, and you do not know how many people have access to that email account (e.g. a shared family account). I think you would be better off allowing the user to choose their own password at registration and then send them a link (offer to generate a password for them on the registration page, if you really believe that generating it is better).
The validation of an email account is usually to help prevent someone creating numerous accounts. This helps prevents spammers and various other bad people from attacking your site from different accounts.
In general you're trying to ensure that the person is who they say they are and that you have an outside means of communicating with them.
1 - to ensure that the email is belong to the registerd user.
2 - to make it harder to the people want to create many accounts (like forums where a single person have so many accounts to use them in voting or somthing).
I remembered a funny site that gives you a 10 minutes email , just to skip the process of creating a new email or even spamming your email by the sites you've registered in.
This way you make sure that the email address is valid and it will be more difficult for a spider to generate many users than without this step. Also, you might do a lot of things in your database when a user is registered and you can do these after the user is validated, to save time by not creating extra traffic on your database server for fake users.
I'm building a system that allows people to submit text and photos via email in addition to standard access on the website. I'm trying to weight the security advantages of two strategies in particular for verifying submissions from a user. Here they are as follows:
To based auth: Create a secret email address per user and present this to the user for submission. This strategy has the advantage that people can send from multiple devices that might be setup with different mail accounts
From based auth: Only accept emails from addresses that are registered in the user database. The idea being that it is impractical/difficult to impersonate registered users based on the sending address.
Can you think of other possible solutions? Which strategy of the ones proposed makes the most sense to you?
I would suggest that you not use From based authentication, at least not without some additional credentials (a passphrase, etc)
It's way too easy to forge, and certainly not difficult if you know someone's email address.
If you echo the email back to the user for confirmation, you can make things a little more difficult, but realize that your service can end up being used as a sort of spamming relay. (I could send 100 upload requests to you, with a forged FROM address, and you'd go ahead and spam the real person with 100 confirmation requests)
The better option is to check the registered email address but add the need for a code within the email subject known to the user. This way if they forge the email from address, they would still need a key to authenticate the incoming email.
I would go with "from" + confirmation, to avoid forging.
I.e. receive the email, but send a response with auth token in the subject line (or in the body) back to the "from" address. The user either will need reply, or click a link to confirm the submission.
And you post the content only after confirmation.
I have a program that, for the most part, operates in the background. Let's say it DoesWork(). Once a week, I want it to notify the user on some of the work it has completed over the past few days. It will be a basic status report, listing some files that have been downloaded.
Initially, I wanted to sent this status update via email, so I looked into that but there are a lot of problems. I need an SMTP server so I looked at GMail. It's okay but has a daily limit of 500 emails, so this wouldn't be suitable for release. Also, there would be issues with the same email account password being given out in each copy of the program, which as I understand it, is a risk even if the password is stored using encryption.
Then I thought maybe I could use the user's own email account to send email to his/her self. This has a couple of complications too: the user would need to specify all of the smtp information for his/her email account, which is too complicated for the target user. Also, I don't want to have to have people entering their email account password into my program just to send emails. I don't think that's a good habit to promote.
Is there any way I could do this via email? Email was my first choice because it's a system of notification that users will already be checking. It's fairly non-intrusive.
Is it necessary to setup my own smtp server? If so, how can I do that?
If email is a no-go, I was also thinking about just generating a local HTML file with the relevent information, and then having a notification popup from the program once a week to inform the user that a new update report is ready. I think this is totally doable, it's just overly instrusive and not my first choice. I want to piggyback on a system that the user is already using.
Thanks!
-greg
An alternative is to have the program generate an RSS feed and direct the user how to subscribe to it. Also, once a new update is generated, show the update toast for about a minute, then hide it automatically and change your systray icon to something different. In about a day change it back to the original icon. Also, give the user a setting to turn the toast off permanently.
Relying on email is not a good idea, as you would have to collect the user emails and deal with the privacy issues for that, you would be effectively DOSing any third party SMTP server or would have to invest in the infrastructure for your own.
If I've understood it correctly, the user is running this program on his pc, in the background.
The perfect way to notify something would be, IMHO, giving the program is minimized to the traybar, a small popup that clicked, would open a window with a weekly report.
Hope this helps.
If you do get them to specify their own smtp server, make sure you put a "Send Test Email" button on there so they can test it. I know from experience that users always enter the wrong details when specifying a smtp server, user name, password, which is made worse since some smtp servers require a user name/password and others don't.
If they do enter the wrong details (or they change) then you might need to have some way to send them older reports, or to have some other way of notifying them that you can't send email.
Email's great, but you might need an alternative method also.
Google for simple smtp server windows gives you this
To be honest if you are just sending things once a week email is your best bet, as it's not frequent enough to garantee that the user will be at his machine to accept some other sort of request, which would require you to write proprietory software.
You could alternatively post it to an irc channel, or write an MSN bot to message the user, the message would be sent as an offline message if the user was offline.
I'd still go for email, it's tried and tested.
For a simple SMTP server I use hmail. I configure it to accept all SMTP requests from the local machine, regardless of source and destination, and to deny any SMTP requests not coming from teh localhost. This will be fine if you have a centrally located application.
If you want to distribute the app you have a whole different situation; with a lot of ISPs putting restrictions on SMTP traffic your best option would be to allow users to put in their mail account details and then use that to send mail. This will ensure everyone can put in working settings. Then use whatever library or pre-made code exists for yoru language of choice to send an email using those settings.
Does it need to be a weekly digest? Instead, how about using Growl (or equivalent) to notify the user of the tasks being completed in real-time, in the background?