Search code examples
securityemailusability

Security for Email verification/confirmation

When someone registers on a website with their Email addresses, usually they are asked to verify or confirm their email by clicking on a link in a email address that they are sent to. Same goes for subscribing or unsubscribing to a mailing list.

Usability wise, this is great. It's very quick and easy to do, I can't think of anything that beats it.

I am not sure if I am overthinking things, but I just wanted see if I missed anything or misjudge anything.

So as far as I know the purpose of email verification/confirmation is

  • To make sure that the email address is correct
  • To make sure Emails that are sent to this address can be read and received
  • To make sure the email address really belongs to the person who's trying to sign up

With the current popular implementation of just one link that they click and that verifies the email instantly, someone could just brute force the verification link and circumvent this whole step.

Just visit verify.php?code=YOURBESTGUESSHERE and try all kinds of different codes.

An attacker could now make the following exploitations:

  • hurt my business by unsubscribing a bunch of people from my mailing list
  • add a bunch of people to my mailing list without their consent, since they might not be interested in my content, they could think I'm spam and a bad business
  • someone could farm addresses by checking the responses on the verification page (for example if the response is "mail@server.com is already verified" or so)
  • someone could create fake accounts without the need of having an actual working email address

I am not sure what the benefit of the latter would be, and it seems it would be much easier to just create a throw away address for this purpose, but I just wanted to put it up there to be complete.

My Questions:

  • Did I miss any other purposes or exploitations of email verification / confirmation?
  • Should I add layers of security to the email verification, such as a captcha or time delays to prevent brute forcing?
  • Should I ask for additional information other than the reset code? Like username or email address again? Or a security question type thing, or another piece of information they entered when registering?

What are best practices for this whole thing, and how much worry and effort does really need to be put towards it? Risks vs. Benefits / Security vs. Usability... ?

Solution

  • If the attacker's search space for YOURBESTGUESSHERE is large enough, brute force becomes infeasible. Use {a code derived from {email address plus timestamp} (which may have arbitrary other stuff, such as a random nonce, incorporated)} fed through a known-good implementation of a known-good one-way hash function.

    Ensure the code is only good for a short time (a couple of days, perhaps) after it's used.

    Don't leak information when the code is presented - the real user of the code knows what email address it applies to, and nobody else needs to.