I read through the comments here: Is this a reasonable user registration process? but wanted to see if anyone had any further opinions since my application is public facing.
My current setup has the user enter an email/password. The email is checked for uniqueness and if ok, the info is written as inactive and a link is sent in an email to the address provided. The link contains a guid that's generated, as well as the email address as part of the a link they need to click to complete the registration. The link is good for 12 hours.
When they click the link and everything comes through ok, they are set to active and logged in.
The problem we're experiencing is if there's a lag in the send people tend to sign up again and again. Also, there's a 60% "loss" in people NOT coming back to activate. I thought this may be due to the webserver sending the emails, but it's routed through our SMPT server now and I've checked with the gmail/hotmail/yahoo addresses to confirm they're NOT going to junk now.
I'm getting pressure from the "higher ups" to remove the requirement to go to email to validate. The biggest issue I see in taking it out would be someone could register someone else's email or mistype their own email when they sign up and then the valid email holder could later reset the password, and access their info. The site has a social aspect and allows users to store personal information so I don't want to open it to that exposure if possible.
Is there a middle ground I'm not thinking of? I've been told Twitter and other big sites do NOT require email validation... not sure if they have something else in place or just don't worry about the issue.
As a follow-up, the solution we're looking to pursue will now allow people to sign-up WITHOUT having to go to email and confirm. When they do, a cookie will be added for the current computer and they're free to start using the account. The next time they come in, if the cookie is found it will notify them they SHOULD validate (but not require it). If no cookie is found, they MUST validate.
This will reduce "friction" for users to get in, but puts the onus on them to complete the process and makes it clear they're operating in a less-than-ideal mode.