Should we ask users to confirm an e-mail address when they change it? [closed]
https://stackoverflow.com/questions/8202272
-
05-03-2021 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
I have a service that requires an active e-mail address where users can receive notifications. Users can optionally receive notifications on multiple e-mail addresses by adding them.
- Should I require a new e-mail address be confirmed before I activate it?
- Should I require an e-mail address be confirmed before changing it?
I'm looking for best practices. I'm not dealing with any sensitive or billing information.
Solution
Yes. Doing so protects users who have had their site accounts compromised from having someone change the main e-mail address and completely lock the user out of his account.
This is good practice regardless of whether or not the account protects sensitive information because nobody wants to deal with being locked out of an account by an attacker.
OTHER TIPS
Yes, it would be best to do so. Imagine.. What if the email address they provided is not correct(misspelled) or not existing or worse--someone else's? Regarding the last case, I don't mean that your service is spam, but simply that the notifications they had hoped to receive would be sent to someone else. I think it would still be beside the point even if no important information is included in the notification--it would be a matter of the wrong person receiving notifications meant for someone else. :)
I would suggest that you have to confirm the new email before it can be changed so you still have contact with the user. The old email could potentially be stored in a separate database so is not visible to the user and only deleted when he/she has confirmed the new email.
