1. 20

  2. 7

    There is. Here’s a radical idea: don’t let the user pick anything until s/he confirms the email address.

    1,000 times, yes! For some reason, there are a bunch of other Ted Youngs in the world who don’t know their own email address, and so use mine (either my @gmail one, or my @yahoo one). They use it for subscribing to Chicago newspapers, signing up for dating sites, and setting up car and appliance service appointments, and applying for insurance. This is not only annoying (to me, at least, I have no idea if those other Ted Youngs even noticed), but clearly a security problem. If I were more vengeful, I’d have lots of raw material to make their lives less good.

    It’s too bad that the author couldn’t get this to work with ASP.NET, but I agree that if any site is going to ask for an email address, that it get confirmation before it does anything else with it. I know from a sales point of view, “double opt-in”, reduces the response rate, and so for an email newsletter, maybe the confirmation is too much trouble (and for the receiver, all I need to do is unsubscribe), but for anything that uses the email address as either a login or a password recovery mechanism, must require confirmation that the person owns the given email address.

    1. 1

      Yesod’s stock email auth does exactly this