The vast majority of the time the number one priority is reducing friction before a conversion. As much as a email confirmation prior to completion is more secure, the business case is far less strong.
Customers can fix their email later, they can contact customer support if they got something wrong.
Get them in the door ASAP, and either using the account, or complete an order. Don't redirect them to their email where there is a good chance they will either get distracted or the email will be delayed.
That's not to say you shouldn't also have your own measures in place to detect errors, or malicious checking if an email is associated with an account.
The lowest friction workflows make data collection/entry as lazy/delayed as possible and maximize optionality. Allow users to "save as default" as part of their normal workflows on your site, rather than demanding the information up-front at signup.
The welcome/email verification email should have an expiring passwordless sign-in link (and maybe a way to set password if you decide to support passwords). If I use your site rarely enough, I don't even save your information into my password manager. Your password reset workflow is my normal sign-in workflow. Kudos to sites that don't force me to generate a one-time random password for this sign-in workflow. In practice, I think a lot of people accidentally use this as their login procedure on rarely visited sites.
If account creation is part of the ordering workflow, make the most significant 6 (or more) digits of the order ID a secure message authentication code of the rest of the digits and delay verification of the email address. That allows you to delay email address verification and still securely correct email address typos (of recent orders) if the user records their order ID.
If your site has made birthday mandatory but you haven't demanded a government ID for verification or run a credit check, I've lied to you about my birthday.
If your site demanded a mailing address but you're not shipping anything to me, I've lied to you about my address.
If you're demanding to over-collect information, and I'm polluting your data lake, that's on you.
Side note: the McDonald's app is nice in not requiring (or apparently even allowing) passwords to log in. However, there's a problem with its state transition, where the user needs to exit from the dialog that sends the sign-in link before they go to their email and click on the sign-in link, otherwise the user gets dumped to the next step without having actually signed in.
> Side note: the McDonald's app is nice in not requiring (or apparently even allowing) passwords to log in. However, there's a problem with its state transition, where the user needs to exit from the dialog that sends the sign-in link before they go to their email and click on the sign-in link, otherwise the user gets dumped to the next step without having actually signed in.
The mcdonalds app loads several dozen data collection sdks, pihole practically had a meltdown when it launched
Even an async validation would be better. I have <common name>@gmail.com, and get several newspapers and some other subscriptions for free.
In one case, a person named Mary in Australia sends their loved one a gift card every year, and the retailer doesn’t provide any information about Mary. In another case, a student missed out on their work study job and a opportunity for early class enrollment due to a bad email.
It’s sad as all of these customers don’t even know that they have a problem.
Validating any contact method that has the potential of sending PII, Health, or financial data should be mandatory by law.
At least once a year I get an automated phone call from a regional hospital letting me know some minor's test results. Calling the hospital's CS department in order to notify them or somehow get my phone number removed from the account is impossible, because I'm not this person nor their legal guardian and HIPAA regulations prevent me from instigating a change on someone else's medical records or accounts.
An extra problem there is that phone numbers get reused. They might have verified the number at the time the previous person still had it.
I get all kinds of messages to someone called Amy from multiple sources, so I believe Amy really had my phone number earlier. No medical results yet, but healthcare appointment reminders for sure.
Don't call CS. File a HIPAA complaint. The provider who is sharing PHI illegally will certainly care. They have no duty to validate the phone number, but they do have to respond to a complaint saying they shared PHI with a person who is not THE person.
Discussions of friction and login/signup always drive me crazy. Like I get the need to get people to sign up. But security is always an afterthought - it always loses to lower friction.
And don't get me started when the PM starts lowering friction to the point where they are basically trying to trick the user.
If reducing friction is the priority, then maybe skip email completely. Let people sign up with any username and don't require an email at all, like HN allows. Most sites that require an email don't need an email, and only ask for it so they can spam users with nonsense like product updates.
If the site doesn't need email for anything besides that, then it doesn't need email for that either. Let the user set an email for account recovery if they want, but don't require it. If users who choose not to give an email forget their password, they can simply create another account.
This is the way HN works. It's the way most websites used to work, until maybe 15 years ago, give or take. Today almost all sites ask for verified email addresses, but this used to not be the case.
Besides the commercial value of having user email addresses, I think it's mostly done for the webdev's ego:
> Users need to hear about my new update! (Because if I don't spam their inbox, nobody will notice or care about the thing I just did.)
I think the webdevs are right about this one. People lose or forget passwords all the time (in general not using password managers). Permanently losing access to an account sucks a lot. Tying account ownership to email primarily with passwords being more or less an optional convenience saving you the email roundtrip seems worth it.
> Permanently losing access to an account sucks a lot.
But mostly that's all. Usually it's a minor inconvenience. Occasionally it sucks a bit. Rarely it sucks a lot. Almost never is anything of value lost. It can be wholly eliminated by good data practices e.g. backups. (No one backs up their Amazon account data. It isn't designed for it. Because the "webdevs" think of the data as their boss's - squarequoting "webdev" because the effective decision is the CEO's and the "webdev" is just taking some abstract, ill-thought-through decision and making the ramifications concrete.)
On the other hand, it also sucks a lot when your gratuitously collected private information is taken to the darkweb. As countries become more accustomed to dealing with databreaches, they are beginning to consider legislating harsh compensation requirements and painful fines. Once that's happened, almost all of the private data that the user has in their account? Let the user keep it. We webdevs and our mortal enemies in business/sales/product will have to innovate new decentralised databases - where each node is a users' computer. And yeah, some things will be harder or not even possible (for the user). Other things will become possible that aren't at the moment (for the user). And at least you won't go bankrupt when a state level actor decides your database is valuable.
There are some exceptions to this. Notably, Amazon is ruthless in enforcement of their "One Person, One Account" policy (worded not so eloquently in their official terms).
If you lose access to your Amazon account and open a new account, there's a non-trivial chance they shut it down without explanation. If your account ever participated in the marketplace from a seller side, then this policy is even more ruthlessly enforced.
Which means... email address verification is necessary for Amazon to at least guard against type-o's and other common form data-entry errors.
Is this policy for a specific kind of Amazon account? I didn't recall seeing anything in the TOS, and they appear to have first class support for people with multiple accounts.
- Zero email validation at signup measurably reduces friction. [1]
- Require email validation for bank deposits, once your customer is further onboarded and invested in the product.
- Encourage 2FA and other measures as the customer grows.
[1] (Much to the chagrin of all security-adjacent, marketing, account owning, risk, ATO prevention, etc. teams. I was directly in the path of these decisions, and it was interesting to see the various stakeholders argue their points. Growth funnel wears the pants.)
Yeah you may not realize that a significant fraction of people don't remember passwords at all and need to reset on every login. If you don't allow self serve password resets you're creating a huge customer service burden.
Users are trained to put in their email. Making them choose a username increases friction if the username is non-public (i.e. it's not instagram). Ideally, using SSO speeds the whole thing up, but if not, then it's better to just use email.
I'd say that depends on what 'a conversion' is - if it's buying physical things (and getting shipping confirmations for them), an email is maybe not absolutely required, but most of your customers would probably still rather they got those?
Maybe they want SMS updates to their shipping, does that mean you should ask for confirmed phone numbers on signup? Of course not. Let them enter their email or phone number for shipping updates when they're confirming their purchase.
Ideally you shouldn't require users to make an account to make a purchase at all. There should be a "guest" path for purchases. Some sites still get this right. I can buy anything from plane tickets to pizzas without having an account on the company's website. Meanwhile half the "Show HN" non-commercial toy websites I come across seem to require a confirmed email for no good reason at all (probably because the webdev is hoping his little toy website somehow becomes a real business, and then he can spam my inbox with updates about this and turn me into a paying customer.)
Off the top of my head, here are some companies that don't require me to confirm my email address when making a purchase or an account: Southwest Airlines. Dominos Pizza, Hacker News, Reddit.
If those guys don't need a confirmed email address, probably your site doesn't either.
Southwest Airlines knows an awful lot more information about you than you provide them. They don't need your email address because they know who you are - and they make it your responsibility to monitor changes to your schedule/flight.
Dominos Pizza allows you to monitor in real time the status of your delivery on their website after checkout. You can provide an email address to access the tracking status page again if you close it.
Hacker News is not a good representation of anything outside of a very tech-focused forum. It's designed to be anonymous, there is nothing to keep track of (order status etc) and if you lose your password to HN, you might just be SOL. That's not going to fly for the general public.
Reddit is focused on eyeballs and clicks - nothing else. You're not buying things on Reddit and waiting for them to deliver to your house or whatever. Reddit just needs you to click and look at things to make money. Reddit also requires an email address, but if you don't provide a real one then you're SOL if you lose access. Again, not going to fly for the general public.
The reality is, most regular sites do need a reliable way to contact you for business reasons. Some are even required to have your contact information (for international shipments, as one example).
Your email inbox does a good job of holding emails for you, so let's stop pretending it's a huge burden to get an email... and if you find your way onto some newsletter list just click the unsubscribe button. It's not that hard...
Dominos Pizza allows you to monitor in real time the status of your delivery on their website after checkout
Dominos doesn't even verify that you own an email address when you register one. I have received Dominos delivery updates sent to my email address for pizzas delivered to a person who doesn't even live in the same country as me. These updates contained a bunch of PII information about the customer including their exact home address depicted on a map inside the email.
Web developers: verify that people own the email addresses or phone numbers that they register!
> Dominos doesn't even verify that you own an email address when you register one
Considering that Domino's doesn't verify you're actually at the physical address you're having a pizza delivered to, I doubt they are sweating an email addy
> The reality is, most regular sites do need a reliable way to contact you for business reasons.
In these cases, which I think are more unusual than usual, a email can be required during checkout. There's almost never a valid reason to require a confirmed email account during account creation, before the user has even decided if they want to make a purchase.
We might be envisioning very different types of websites then. Some random dude's blog - no you don't need to enter your email address.
Buying something online or subscribing to a service? The company does need a way to contact you... which is going to be email.
Email addresses are more-or-less globally unique, which makes them very handy for identifying an individual customer. Verifying the email address is an extra step that can provide the business with more confidence when dealing with a new potential customer. Certain types of fraud vanish or are greatly impeded with email verification, such as carding attacks. Customer support tasks can be performed more reliably and with identity confidence of who they are dealing with, stopping account impersonation attacks and more.
With all that said, sites that choose not to verify email addresses put a greater burden onto the customer for support needs. Password resets, order tracking, cancelling subscriptions etc. all become more difficult if the email address entered by the customer had a type-o for example, or belongs to someone else.
That doesn't mean all sites should verify email addresses - but it does mean railing against any site that does is misguided.
Twitter or discord, why do these require me to confirm an email or phone number when reddit doesn't? Why do shop websites like Etsy require me to confirm my email address before I even decide to purchase or sell anything? If you're worried about credit card fraud, confirm my identity when I give you my payment info, not when I'm merely registering an account.
What you propose would lead to increased cart abandonment. No business wants that.
Account registration is the perfect time to do email verification, if the business is going to do it. The user already is in that "mindset"... and clicking a link is really not very difficult. Everyone in that flow understands what is going on.
Sites like Etsy probably have a significant fraud problem... and as previously discussed verifying email addresses goes a very long way towards minimizing risk.
Companies like Twitter and Discord likely require verification for the same reasons - fraud/abuse. I am aware Twitter has had a history of abusing that data, but the initial reason for verification remains the same.
I'm actually surprised more websites don't require verification. It's easy to do, and the benefits are very obvious. Most users aren't bothered by it either...
Smaller ecommerce sites still keep the Guest Checkout flow available because they would rather not impede checkout for any reason - although that means they take on additional risk. Major ecommerce sites require accounts (think Amazon, Newegg, Etsy, Walmart, Zappos, Chewy) and some do require verification. At their scale, fraud and abuse become very difficult problems that require a lot of time/resources.
OAuth/Social Login has removed some of the need to verify email addresses at the business level. This is because a trusted 3rd party Identity Provider has already done that for you, and most OIDC IDP's already provide an "email_verified" flag of sorts. Depending on your trust level (connecting to Google's IDP vs. random IDP), you can just use this data and assume it's been verified, removing that step for the customer.
Could part of the pattern for requiring an email address (or phone number) at time of purchase be reduced customer support costs for the vendor.
With an email address the customer can reset their own password for using their account with self service features - like get a duplicate invoice or view/change/cancel a reservation or similar stuff.
Without an email address / phone number / something to link a customer to their order, the customer will need to phone up a call centre or visit a store or use live chat to get what they need.
Southwest probably have a call centre or live chat anyway. Dominos have stores (and presumably a customer service department) and a pizza order is probably only interesting for a short time.
If the customer can't sort their order out or get it sorted out, they will complain or give bad feedback. Even if it was their choice not to leave an email as they were too busy.
Your business without any of these things has no incentive to get them if it can just collect emails instead and let users use self service features. Even if you already have call centers / live chat / stores then your cost of dealing with the customer via a self service portal is probably way cheaper than using them.
You're missing his point. He's saying that the whole point of having an "account" is often not actually necessary. Domino's and Southwest are much more focused on making it as easy as possible to buy a pizza or a plane ticket, without an account being mandatory.
I was attempting to say it may be more convenient / less expensive for the vendor if all customers are forced to have self-service accounts rather than having to complain to manned customer service or via twitter or whatever.
(Receiving these emails should be opt-in. But companies often find lame excuses to ignore this preference so I prefer to not hand over my email address at all.)
Customers can fix their email later, they can contact customer support if they got something wrong.
Get them in the door ASAP, and either using the account, or complete an order. Don't redirect them to their email where there is a good chance they will either get distracted or the email will be delayed.
That's not to say you shouldn't also have your own measures in place to detect errors, or malicious checking if an email is associated with an account.