If this question has already been asked, please comment so I can remove it.
I'm aware of the advantages of email verification, especially in regard to spamming (which could easily kill me since most of the functionality is in posting comments).
I'm contemplating the removal of email account verification for the application I'm currently building. This is for numerous reasons:
I've noticed other apps/websites
simply don't implement it.
It's far more user friendly then to
skew the user over to their email.
Since the application is moderate in scale and functionality, revisits are short-lived, some users may be inquisitive about it as to sign up, but some might feel it's an overkill to actually go through email verification.
App is not celebrated as to compel visitors to take effort, sign up and verify.
I know I'm getting into the gust of it, and while I'm writing this visitors could've verified their account for the gazillionth time; however, would you agree that for some moderately scaled applications an account verification might deter a casual visitor?
What measures do you personally prefer to undertake?
Why not use some form of federated ID like OpenID and such?
Verification is good if you plan to send email to them on a regular basis. Otherwise if it's just a casual site, you will probably need to offer something compelling to get them to register and provide you a valid email address.
Do you have something compelling?
Related
I came from a similar state in this question.
My objective is to reply to interested customers via whatsapp messages. I'll use a very special setup, so I'll be using the API.
Reasons:
With not to pay anyone other than container hosts
Solution with custom API
Customer doesn't like any extra costs
Just like user noboundaries, I see the numbers, but I cant get the certificate
User Navjot Singh has explained I need to create a "business api account"
I tried just that, put out all my contacts and stuff, in this site.
They did respond yes, but only with pointless instructions, since I wish not to contract any messaging providers. I had taken a look at it, but they charge a very expensive price beyond the $0.005 whatsapp will charge. Also, the solution I'm creating requires messages to be sent programatically, and the partners don't seem to provide the correct solution.
So, I wish to skip into using the api. I followed the appropriate guides:
Getting started
Phone Number
I already got some things done:
two phone numbers (one of them for testing) with whatsapp business;
company has been verified, with domain
have business management account
local environment with docker
I can access the local environment and I have set an user account and the admin acount. I can log into those via the API, since postman can ignore certificates, but in order to proceed I really feel like I need that certificate.
So to sim up I guess I need help creating the whatsapp business account for my customer. Any advice?
Also i'd appreciate any other helpful insight or feedback. I really feel lost and I don't see a place where I can talk to people trying to do the same thing, or doing this is much of a madness after all?
thanks for getting to read until here, and I apologize for my non natural, almost broken English.
Hi I wanted to start big in stackOverflow but I fell flat.
About the subject at hand, westerday I dwelt deep into the rabbit hole.
For most companies, you actually are forced to work with a provider, such as twllio or messagebird. They act as intermediary between the facebook business and the whatsapp business api.
Some of they offer messaging separated from whatsapp api setup I still need to take a look into it, but for those who are trying to set up whatsapp business api on their one, it seems as of november 2020 it's not possible.
please check out:
respond.io's guide
blog post from take.net PT-BR (google translate didn't like me trying to translate this to English)
Is there any way to use some paypal api for validation of username in paypal?
Google didn't give much :( and using such method isn't comfortable, cause there are too many requested parameters(for example, i know user's email, but i don't even want to know his adress,etc.).
PayPal doesn't provide such an API and for a very good reason.
Remember - it's being constantly under a lot of pressure from scammers around the world that are trying to steal other people's money. Just imagine the phishing power one might get by being able to pre-validate the email addresses to see if they really are current PayPal users and then crafting a targetted email attack on them...
Such an API (to see if a random email address is registered with a PayPal account holder) does not and never will exist for security reasons. With possibly one exception - "trusted partners", where PayPal partners up with a big and established entity and allows special API permissions (based on secure credentials), but this is not something a mere mortal could ever hope for.
Furthermore, if a workaround is discovered that allows to do just that - rest assured PayPal will patch that hole ASAP to avoid security breach.
I have a web app that you can currently log into with either your email address or your username.
I'm developing an iPhone application and I'm just wondering if I should offer the ability to log in with your phone number. If this is the case, a user would first have to provide the service with a number on the web (an optional parameter).
I find it convenient on other services I use where I might not remember what email I have connected to it.
Is this a good idea?
Would you offer it in a service you were
building?
I'm trying to decide if its worth the trouble to build.
NOTE: This number would strictly be used for authentication.
I think that if your service is not about phone numbers (calling, texting, etc., e.g., whatsapp, etc.) I would not add phone number authentication for a few reasons:
Some users might be deterred to provide a phone number due to privacy concerns (no matter how hard you try to explain them that you will keep it safe)
With the phone number you will now have 3 options to login with, which is way too much. You want to keep your mobile login screen very simple
Some people may think that they might get SMSs from you or get their phone bill charged somehow
Overloads your backend
Just keep it simple...:)
To add to that, I personally prefer just email, without a user name. So many sites require user names AND impose restrictions on how this user name should be structured, so you end up with tons of them. With emails, you can't go so wrong - most people use a primary one to sign up for sites.
Hope that helps.
We want to streamline the user registration and login process. The goal is to reduce the time and effort for users to register and login to our site.
At the same time, we don't want to overwhelm users with choices. We don't like how some web sites present registration/login options via multiple channels (e.g., Facebook, Twitter).
What are the pros/cons of each of these systems? Which do you use, and what are your main gripes?
Offer all of them, don't take the time to ask "why?".
It's always worth it to get users on board.
The biggest (IMO) pro is that you are no longer storing passwords in your db. Leveraging one of those other site's authentication service relieves you of this. It doesn't relieve you of having a secure design. I'm also not sure that your average end user really cares. If your service is highly aligned with one of those services, maybe. However, if you are not targetting those end-users, then probably not.
Rob Conery did a recent write up of his experience with OpenId. This might be a good read:
http://blog.wekeroad.com/thoughts/open-id-is-a-party-that-happened
Hope this helps.
Bob
Well, yes, it does all depend on your user audience.
In any case, I would say that Facebook Connect is probably your best bet due to the sheer number of people using Facebook. Still, as far as I've noticed, it's not really "professional" websites that use Facebook Connect, mostly forums and unofficial (but popular) news blogs.
Many "professional" websites (catering to... well, professionals) will use a normal Register/Login rather than Twitter, Facebook, or OpenID. Still, a professional website would likely need a more professional solution, so I would suggest OpenID, which also supports websites such as Yahoo! Mail and developer communities (such as Stack Overflow!). You can see the full list of sites here.
In all honesty, I don't really think that using a Twitter login would be very efficient. Think of it this way: for one, I've noticed (but I could be wrong) that Twitter is mainly used by the small hobbyist or the people who use it to give updates on things they're doing or making (and sometimes just the people who want to be in on the times). So unless your website is aimed at these type of people, it wouldn't really be useful. On top of that, I don't know of many people who particularly like it, partially because of its over-popularity. Still, it could be the same way with Facebook, but this is all subjective, so if you really want to pick Twitter, go for it.
Anyway, that's my take on things. I don't personally use these systems on websites I've built, but I know how they work.
For one, when you log in using any of these for the first time, they take the user to a new page or open a popup window asking them to confirm if they want to connect their [Whatever] account to your [Website Name]. After that, it's a bit easier to use just because they don't have to keep repeating the process unless they disallow your website on their service.
With OpenID, you have to log in to your OpenID-enabled webpage using http://myusername.myopenid.com/ or myusername.myopenid.com. If they don't choose to remember their password, this can become a bit tedious to type in every time.
With Facebook Connect, it usually automatically connects all of their information to the website, including full name and profile picture (meaning that if they have a profile picture of that snazzy tattoo on their inner thigh, other users will be able to see that).
Finally, as far as I can see, Twitter doesn't do much other than connect whatever name you had on your profile page (if it's "John Doe" or "Weiner Schnitzel", it'll show on your website) and your profile picture, just like Facebook.
To finish up, those are pretty much all the pros and cons that I can tell about the services. Good luck!
What is your target group?
If you want that many normal people uses your application than use Facebook.
If there are many coder / blogger / internet junkies than use Twitter.
If you have a lot of open source guys than OpenID will do the job.
If i'm is not wrong, previously there is a website providing kinda service about providing login platform to allow user connect to your site. Of course it is not free and i was abandon it because of high annual fees and mind change after research being done.
While you using their service to growing your business or website, you can save their time it's true. but honestly, will they really care on how long time taken to connect their facebook with your website either register as a new member in your website. While you can give confidence to you client, they do. they willing to spent few minute to fill up simple information to make an account for them self if they felt they worth to spent the minute to get service from your website.
Totally agreed to what rcravens said, if they connect through third party website, means you are gonna giving you user information to that website. For example, to archive FACEBOOK CONNECT you will need to create an application for them to trust them you only can get authority to access. while they accept and login to your site, it is good for FREE advertise because while they connect, can use their account as medium to post your information to public. BUT mostly site will sell their information gather or share them in any way to some organization who need them for decision.
My point is, how many people using your site and mostly who is using, what characteristic of your site user and so on... everything is no more under your control !!!
Perhaps, you may use it but what if their service shut down few hour for maintainance...
I'd recommend using something like RPXNow (https://rpxnow.com/) or Gigya (http://www.gigya.com/) as an intermediary to the various authentication providers. Facebook and Twitter are notorious for always changing their APIs. It is a pain to keep up with them. These services give you a simple abstraction layer, so that you don't need to change anything on your end when the providers change their APIs.
i like facebook but..
facebook is block in some country.
open id is not famous.
twitter is famous and simple.
so use twitter is the best :)
Use OpenID as it is a standard that is also integrated into many Mail Accounts, like Google or Yahoo. You never know how long Facebook will stay around and therefore it's better to have something people just don't throw away (there Mail address). If you make a nice selection screen (e.g. stackoverflow), the people don't even know that they're using OpenID. If you just want to get authorized Comments, picture uploads for twitter or fb, a game connected with social features don't use it.
Facebook Connect is very usable for one time comments or stuff like this. If you want to store your own data about the user (e.g. blog service, saas), not dependend on "social networks" don't use it.
Twitter Login makes only sense if you connect your service with Twitter, otherwise forget about it.
I would use a hidden OpenID approach.
Facebook is great for keeping tabs on family and friends. Beyond that I, personally, wouldn't use it in support of any other app. It's just not bullet-proof enough from a security/malware standpoint. There is too great a chance someone could have issues of that sort with Facebook and attribute it to your site, whether reasonably so or not.
I like OpenID. Not thrilled with the notion of hitching my wagon to any of the social networking sites/services at all.
Is this a technical or commercial question?
The answer to my mind is it depends what you want to do with the data.
If you just want to provide a service to a broad list of people then the answer has to be to gun for openness, not proprietary - particularly since the open standard is supported elsewhere, Gmail, Yahoo et al.
However, if you want to demographically profile that database at some point to offer targeted services, then you need to understand the questions you're likely to require answered and whether a third party method is going to enable that or not.
Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 3 months ago.
The community reviewed whether to reopen this question 3 months ago and left it closed:
Original close reason(s) were not resolved
Improve this question
I'm creating a web app that requires registration/authentication, and I'm considering using an email address as the sole user id. Here are what I see as the pros and cons (updated with responses):
PROS
One less field to fill out during registration (it would just be email address, password, and verify password). I'm a big fan of minimalistic registration.
An email address is easier to remember. (thanks Mitch, Jeremy)
You don't have to worry about your favorite username being taken already - you're the only one who uses your email address. (thanks TStamper)
CONS
User has more to type every time they log in.
What if a user wants multiple accounts? They'll need another email address. (Do I even want a user to be able to create multiple accounts?)
Easy for a potential attacker to guess (if they know the target's email address, they know the login id). (thanks Vasil)
Users may be tempted to use the same password they use for their email account, which is bad security. (thanks Thomas)
If you change email addresses frequently, it may be difficult to remember which address you used to sign up for a site after a long hiatus. (thanks Software Monkey)
A hacker could spam the registration form and use "email already taken" responses to generate a list of valid emails. (thanks David)
Not everyone has an email address. (thanks Nicholas)
If I went with email as id, I would provide a mechanism to allow it to be changed in the event a user changes address. In this case users would not be posting content to a public site, so a separate username won't be necessary to protect the email addresses (but it is something to consider for other sites).
Another option is to implement OpenID (which is a whole other debate).
This seems to work for Google, but their services are tightly integrated. What have I missed in my analysis? Do you have any recommendations? Does anyone have experiences to share?
FINAL EDIT
Thank you all for your responses. I have decided to use email as an id, but then allow the creation of a username for login purposes after registration. This allows a little flexibility while keeping registration as short as possible. It also prevents problems when a user changes email addresses (they can just log in with their username and update it). I will also be implementing methods to prevent brute-forcing of email addresses out of the registration and login systems (mainly a cool-down period after repeated attempts).
Personally, I prefer just using my email address as a username. It's one less thing to remember, and I never have to worry about my preferred name being already taken.
Just my 2 cents!
I think you missed a PRO:
Users are likely to remember their email address; and as email addresses are unique, they never have to worry about their preferred username being taken already.
As a user of websites, I can tell you that I hate memorizing unnecessary usernames. I don't use a unique handle or anything so I can never remember which variation of my name I used that wasn't already taken. I'd much rather type my email address.
Also, I like OpenID.
CONS
When the same password is used for the e-mail account, compromising the one automatically means compromising the other.
CON: Not everyone has an e-mail address. Consider if your database is ever accessed by an internal application. If you are running a store, people will call up and place an order by phone and refuse to provide an e-mail address. So while having an e-mail address as the default user ID is cool, be sure to allow alternates to get into the system. (Of course, this depends on the context.)
Learned this one the hard way.
I tend to not prefer pro/con lists, and instead try to think of benefits and challenges.
Challenge:
Some users will be tempted to use their email address from their ISP. Linking to an email alone, may be difficult for the users who forget to update their email in all the web sites they have signed up for before they change ISPs.
Instead:
You should consider allowing a user to provide multiple addresses, as well user-selected id and then let the user decide what they want they wish to do. Perhaps also consider allowing the user to provide an OpenID account.
CON: If I change my email address, suddenly all my account names are invalid. My name doesn't change, but my email often does. I have occasionally revisited a site after a number of years, and been stuck... what was my email address two years ago???
One setup you may want to consider: Have both a username and an email. The email is used to login and is always kept private, the username is used to identify the user in any public interaction, such as posting a comment. It winds up being slightly more secure as both halves of the user login credentials are kept private, whereas if you use a username for both login and public identification, half of the login is already known.
I definitely agree with you about having minimal registration for most cases, but depending on what you're doing you may want to balance that against added security for your users. Four fields isn't outrageous for registration, (username, email, password, confirm password), and if you're feeling particularly adventurous, you could cut it down to three by dropping the confirm password field, or two by emailing them a password that they can change later.
PRO
People hate having to create a unique name that fits their id and that has not already been taken to register for a site..So this is why the user id as EMAIL ADDRESS is so embraced.
ex:TStamper1930, who actually wants to remember 1930 at the end of my name that I really wanted
CON: If a hacker can try registering random email addresses en masse, he or she will be able to figure out which of those addresses are valid based on which registrations fail. This is a tactic that can be used to put together lists of known valid email addresses, which are a hot commodity on the spam black market.
Although now that I think about it, that's a problem that affects any website which asks for an email address as part of the registration process, regardless of whether or not there's a separate username. But it's still something to think about.
Stick to email addresses they are used everywhere, actually most of the major websites use them, they are unique so they save the user from struggling to find a name that's not used by others, also users won't forget their email addresses (in most cases at least :)), which is unlike usernames that they will keep on forgetting if they don't visit your site very often.
You shouldn't be worried about them being too long as all the major browsers (IE, FF .. etc) offer autocomplete to forms which is enabled by default, so you type the first letters in your email and you get a drop down list (ie. autocomplete list) where you just click to enter the whole email, personally I almost never type the email address in full, I always type the first letters then select the email from the autocomplete drop down list. Besides, if you allow users to be remembered (using a Remember Me checkbox and persistent cookies), it will be another reason to not worry about it.
I don't know about your app but usually users having multiple accounts is not desirable in most apps.
One con might be that if it's an email address the login can be guessed by people and brute force attacks attempted. Which is not really a big issue, since on most sites today the logins are publicly displayed.
The biggest pro is that logins are easier to remember this way.
A good setup is to require username and email. Allowing the user to login with either email address or username is very user friendly. An added benefit is the user can change their email address. It would also allow multiple accounts for one email.
To solve your con item of the email being too long to type in every time. I have implemented the StringScan Ruby library.
require 'strscan'
def signup!(user, &block)
self.email = user[:email] unless user[:email].blank?
str = StringScanner.new(self.email)
str.scan_until(/#/)
str.pre_match
self.login = str.pre_match
etc..
Then just change login method to allow either email or login to match password.
This works just like google or mobileme. A user can choose to just type in their email username (ie. username instead of username#gmail.com.)
I'm fighting with removing this right now. Here's a newer CON from the current era.
An email address is considered Personal Identifiable Information (PII) by many governments. Hence extra care needs to be taken any time you display it on a page, or even return it from an end-point.
Consider that many sites allow interactions between different users. This often means the site will provide a list of users to choose from (e.g. a drop-down list, or search results). This ca actually enable the leaking of PII by the site.
Usernames, on the other hand, can be completely anonymous. Given the prevalence today of password managers, users really don't need to actually remember their username and password.
If you don't care about forcing your users to login to your application with Facebook or some other social network (most people don't seem to care), then you can just use their social network email as their 'user id' when referencing other tables/documents (MySQL, Mongo, etc).
I've noticed the bonus to using social media logins is that all the security has been taken care of by said social network, including not allowing 2 users to have the same email or username in their database thus saving you the hassle of having to code for all of that. This is just my personal preference.