35

So I'm writing a mobile app and have reached a point where I need to allow users to register a username. I'm doing this by asking for an email address, username and password.

Typically, it's been normal to set this sort of thing up on the web by having the user confirm his email address by clicking on a link sent to his inbox.

Needless to say, on a mobile app this is a bit clunky as the user will be redirected out of your app and into his browser.

So I had a look at how other mobile apps are doing it (WP7) and was surprised to see that DropBox and Evernote both allow you to sign up without confirming your email address. The end result of this is that I was able to sign up with completely bogus email addresses and/or valid email addresses that don't belong to me.

I assume this is done on purpose.

Your thoughts?

cherouvim
  • 31,725
  • 15
  • 104
  • 153
Senkwe
  • 2,256
  • 3
  • 24
  • 33
  • 3
    As the person that asked this question originally, I just thought I'd give you guys an update on what I eventually did. I did away with email verification. I figured that the number of users that will put in bogus email addresses would be pretty low. I also figured that anybody finding that their email address was already in use would create a new one if they *really* wanted to use my app. I do make it clear however why it's important that they put in the right information, namely, they won't be able to receive certain notifications via email. And for some people that's preferable to push – Senkwe Feb 12 '13 at 15:32

8 Answers8

10

I came across the same issue when writing a social networking style app. I chose to have the user create a username and then provide and email and password. I do not verify the email address and I've never attempted to send any email to them (yet).

What I would suggest would be alternate ways to validate a users email address. My app allows users to do Facebook Connect. All they have to do is log into Facebook, and the app talks to Facebook to confirm that they are using a valid email address. No need to verify it with a URL in an email.

I believe Twitter has a similar service and there may even be a few others that provide an API.

I've also discovered that a lot of people just want to tinker around in the app and not create an account at all. It's definitely a balancing act

cherouvim
  • 31,725
  • 15
  • 104
  • 153
Brian
  • 234
  • 3
  • 8
  • Cherouvim. It looks like your question has been answered. If it hasn't, please rephrase your question so we know exactly what your concern is – Brian Feb 10 '13 at 20:21
  • Depending on the target audience, social media auth may or may not be a wise choice. It would be really bad form to require your users to sign up with twitter/facebook, or any other social media, in order to proceed in your app. At the very most, you would offer those types of authentication as an option, while still retaining the ability to sign up for a brand new account. That still leaves you with the problem of verifying new accounts in the event that the user chooses that option. – Dennis W Apr 05 '18 at 07:25
9

I'd say it depends on your app and how important it is to ensure users have valid email addresses. In an app I'm creating now, we want to discourage users from signing up with multiple bogus accounts (because our system could be gamed that way) so we're not allowing users to log in until their email address if verified. On other sites however, it might not be such a big deal so why bother users with that extra step?

As for a mobile device, I don't see why you can't still send a verification email that sends them to your website to verify their email address. There are plenty of mobile apps that also have a website users can log into to manage their account.

cherouvim
  • 31,725
  • 15
  • 104
  • 153
kbosak
  • 2,132
  • 1
  • 13
  • 16
5

Another option is have multiple "states" for users. Before they validate their email, they are in a "pending" state. Once they click it, they're in an "active" state. If you store the createDate for the user, you can periodically remove pending users older than 1 week (or however long).

The bonus is that you can easily add more states, such as suspended or deleted.

Cody A. Ray
  • 5,869
  • 1
  • 37
  • 31
4

Personally, I wasn't too happy for users to create accounts with any old email address.

I think a few decent options are:

  • send a confirmation email with a link that uses a Custom Url Schema to redirect back to the app (although this is only good if they use the link on the same device)

  • send a short PIN in the email for them to enter back in the app.

  • send a confirmation email with a web link, have your server confirm the valid email/token, and have your app check the account status either periodically or with some sort of realtime tech like SignalR or Firebase.

I prefer the last one, although hardest to implement. A user might well have their phone in their hand and their laptop next to them, register in the app and try to click the link in the email that just showed up on their laptop. I like the idea of the app then just "knowing" that they've validated.

user888734
  • 3,797
  • 5
  • 36
  • 67
1

Do you have a web server? Write a web service that does the validation for you on the server side, and sends back the result.

Yimin Rong
  • 1,890
  • 4
  • 31
  • 48
  • How? I don't want validation that the email is valid but that it belongs to the specific user. – cherouvim Feb 12 '13 at 09:14
  • Server sends an email to the address provided, the email includes a validation link, the user clicks it. In the target, the user provides his username and password, if it is correct, then this proves the e-mail belongs to a user who knows this secret information, and with very good certainty can be assumed to be the intended user. This isn't groundbreaking, lots of sites use this sequence. – Yimin Rong Feb 12 '13 at 22:07
1

Either you can use some platform, such as Facebook connect as @Brian replied above, or you may give users a reasonable timeframe to verify, for example, a few days or even a week. After that, the account gets removed.

You can even have your app issue notifications to remind the user to verify his account (such as every day, or on the last date of the verification.

1

Don't ask for email confirmation on mobile and allow the user to use the service. When the user is using a PC, then ask the user to confirm his email.

I won't defend my recommendation because most of the solutions here are valid. There isn't one correct way. You asked for ideas and here's one.

Uğur Gümüşhan
  • 2,455
  • 4
  • 34
  • 62
1

A good strategy is to allow people to use as much of your app as possible given the amount of data they've provided.

For example, in the case of a newsreader you might let someone browse your app without registering, then require an account for offline syncing, and a verified email for alerts. Always give people a good reason to take the next step, and build engagement first, then people will forgive you pestering them later.

superluminary
  • 47,086
  • 25
  • 151
  • 148