On my webservice, I have a registration form where the user can register with email address, username and password. For anti-automation, I send a confirmation-link to the email address.
This is how most of the webservices do it. But I´m thinking to go away from that email mechanism and simply use a captcha instead to prevent automated registrations.
What are the pros / cons of these two approaches regarding security and usability? And are there other mechanisms for that?
Email confirmation can be easily automated, it's more to ensure that it's a real address the user has access to (though doesn't guarantee it).