I have a question about email verification and user registration. The other day I created accounts for both Twitter and Facebook and I realized in either of them I was asked to fill a CAPTCHA. And even before validating my email account I could already use my account and add friends and all that. Supposedly I had limited options, but didn't even realized it.
My question is, as I'm building a website with user registration myself and I'm planning on use this method, how to deal with spam, "junk accounts" and people that don't validate their email accounts?
And more realistically, I was thinking either asking for a CAPTCHA and an email (and let users verify their accounts later on) or asking for an email and waiting for it to be verified (with a link or a temporal password) right away. In this case, which is the best option?
Thanks!!
It's debate question which is good or bad.
I personally feel Use email verification by sending link on email account and verify that link on click. This will let you trusted user.
By the way captcha isn't bad. It will prevent automated account creation strongly.
Related
I am developing an ASP.NET Core web application with user management functionalities. My question is about the email address changing algorithm. Almost every web app I saw before have the following flow:
User authorized
User requested an email address change
User received a message on the new mailbox with the confirmation link
User clicks the link and the email address updates
But I think, this algorithm might be a bit insecure and that is what I want to discuss here.
How about this flow:
User authorized
User requested an email address change
User received a message on the old mailbox with the confirmation link
User received a message on the new mailbox with the second confirmation link
User clicks the link and the email address updates
With this additional step in the middle of the algorithm, things may be much better from the security perspective, but would it be too complex or not? How do you think what algorithm I should implement? And what would you prefer if you will be in my shoes?
The second options might sound great, and it's not too much headache to implement too. But I'll stick with the first approach due to some reason:
Common work flow pattern.
As the backend side can be wrote by many language, by various developers, so common pattern would make things more standard when we need some kind of migration, and even maintaining by new developer. If the project doesn't require ultra-secure authentication flow, the simplicity of first approach was enough.
From user convinient pespertive
Let's just imagine when changing an email address, what case the user likely want to change email address ? I was register my facebook account long ago using yahoo mail, that's no-longer active, and i need to switch to a gmail one. What's the point of sending the email back to the old one ? Cumbersome... and i can do nothing in this case except get some help from the staff.
I totally aggree with the second approach on security angle. But that's not suitable for most of the case, only implement if the project have some requirement. And even in that case, I suggest don't even do that too, build some thing like sub-admin account role and grant permission to someone have responsible. Like Google enterprise email organize some account called admin if anything wrong happen to user account. As long as it has this kind of security level requirement, it's not gonna serve massively user.
The intension of all the flow
The User got authorized first, right, that's mean we Identified what the user are, and what she capable to do. Imagine when we hide a hotel room then request to change to another due to some reason. What's the point of proving that's I booked my own room, since we all know that's the fact ? Kinda weird... right ?
To conclusion, I think we shouldn't mess with something that's become common pattern that widely acknowledged, except we have some special requirements and the project have something uniquely to satisfy, and we consider ourself, as developer that's reasonable.
The main problem with this approach is: what happens if the user no longer has access to their original email account? Perhaps it was a work/school/uni account that they no longer have, or perhaps they've just forgotten their password or otherwise lost access to it.
With your second approach, they are not going to be able to update to the new account, because they'll never receive the first confirmation link.
How about the following approach instead:
User requests an email change.
Require the user to re-authenticate with their current password (just like when they change their password).
Send a confirmation link to their new email.
Send a notification to their old email, with the details of the change, and instructions of what to do if they didn't initiate the change.
User clicks the link to update or contacts your support to say their account has been compromised.
This way you still provide them with an alert that someone is trying to change their email (and potentially a means to stop it), but a user who has lost access to their old account will still be able to update their email.
My API is able to link a client's bank account, but is unable to 'unlink' it. The documentation specifies that 3 body params are needed: "client_id", "secret", & "access_token." However, from what I have read an access_token can be linked to MANY accounts. Is there a way to retrieve the access_token associated with a client's client_id & account_ID, and subsequently remove that account while not removing others (if they exist)?
tl;dr: No.
There is currently no way for you as a developer to delete, say, the user's checking account from an Item/access token while keeping access to e.g. the user's savings account at the same bank behind the same login.
That said, I'd be interested in hearing more about your use case -- it's possible that the "Select Account" feature might solve the problem you are looking for, and we're also rolling out some improvements to Select Account soon that might make it work even better for you.
An Customer ask me to implement it at his Webpage, because he don't have the technical Skills to do so.
I wonder, what's the right way to do this.
On other Google-Services (like Google Search Console) the User can sign into his account and grant me permissions as Guest (he invite me as guest to his account and gave me permissions).
This is a clean way to do, because If I stop working for this customer, he can easily remove the permissions of my login and all is fine.
But how does it work at Google ReCaptcha?
Looking forward to hear, how you solve this.
it better to use the user's credentials for this purpose, just take client's primary or secondary email (or create a email for the project) and make it base for everything that's needed for your project like recatcha, search-console etc. you can use it as long as you are working, and client can simply change n give the credentials to next developer and he can continue.
i am web developer and i face this situation many times, this is best solution in my opinion.
I have ran into a problematic situation, which I really hope I can get help with.
I'm working on Jive Software solutions and we have a product that integrates Google Drive and Gmail.
This integration product was once part of a startup that was acquired by Jive and as such, the Google api project we are using for the integration belongs to a Google Account of a specific person which no longer works in Jive (we do have the credentials for the account though).
The problem is, that we want this account to be ours, i.e, a Jive software one.
So, one option I have, is to create a new account and replace the api account I'm using in the code to use the new one. This is bad, as it will break all the current authenticated clients, and will force them to take the oauth process all over again.
The other option I see, is to convert the existing Google account we are using to a jivesoftware one, so it will not be associated to any specific person but it will still be the same account.
Specifically I'm interesting in changing the Name and Email of this account.
Any suggestions of how we can achieve that?
A third option could be moving the api project to owned by another google account, but I couldn't find such an option in the UI, any clue?
There is no way to change a gmail address. You can forward all email to a new address with the name and email address you would like though.
This way you access all the email from an account that is a Jive software one but it is being forwarded from the old one still. However no one directly accesses the old one.
Check out https://support.google.com/mail/answer/10957?hl=en for more info.
According to the documentation, if you use Gmail with your Google Account, it's not currently possible to change your Gmail username after you've registered. with your username being the full email address you used to create your account. You can, however, change your nick name by going to https://myaccount.google.com and clicking Personal Info.
I made a members-only site that uses Google oauth2 to authorise users. The site is built with the Laravel framework and Artdarek's oath library.
When the authorization callback comes from Google, I lookup the user record in the DB by email and proceed to the protected page if the record exists, otherwise to a register page.
The problem is some of our members use two Google accounts. One user registered via his primary account (e.ge. a#gmail.com). The next day he returned and mistakenly tried to login with b#gmail.com. Naturally the system showed him the registration page. From that time on each time he visits the site the authentication mechanism sees him using his second (unwanted) set of credentials.
To resolve this one case I instructed him to logout of all accounts (on both sides), clear cookies and start from scratch but this is not a practical solution for all users. In same cases even this measure does not seem to correct the problem.
How can I solve this case? What is the right way to request oauth authentication and get them back from the right account? Can I force Google to ask the user with which account to proceed?
Google will automatically ask the user which account they want on an oauth request if they enable the account chooser.
I have logged into my Google Apps and my Google account, so for me on an oauth request, I get the following prompt:
In order to do the same for your user, they have to click "Stay signed in", but of course this is not advisable for public computers.
Beyond the above, I'm afraid not much can be done. - if they logged in with a#gmail.com at that time, these are the credentials you will receive.
They way I solve this problem is to have a field where the customer can add additional emails, and select one that is primary. I will then inspect against these emails when a request comes in to avoid duplicate user accounts.