account activation via email - vice or virtue?
I've recently read a number of posts and tweets regarding email activation of website accounts. This is the process of sending the user an email upon successful registration, requiring them to access their email and often click a link to confirm the account to actually use it on the site. The impression I get is an increased intolerance for the process, but there are many valid reasons for using it.
In particular I recently read a blog/rant complaining that the only reasons it was used were A. so that the site owner could verify you owned the email address and B. to keep bots out. This appears to overlook a number of far more significant reasons. In no particular order:
1. Account recovery
As a new user of a site it's important to know your registration is successful. Many sites will instantly log you in but for the sites which don't, if you've managed to enter your email address incorrectly, possibly even twice, you'll never know it. The welcome email will never arrive. If you've been logged in automatically, you may choose to "remember me" or similar. Some weeks or months down the line when you've predictably forgotten your password, you'll only receive a stony silence from the website when do the "password reminder" process.
The activation email in this case is really more like a receipt. It's not for the site owner's benefit - it's for your own!
2. Signal vs Noise
Its not all about you. If you're registering for an account on a campaigning website for example, that website may send out thousands of emails per day not to mention thousands of pieces of snail mail too. The site owner wants to avoid spamming people and needs to cut their own costs by not sending out unnecessary communications. Even email can cost money in volume and the postal service obviously does, so it's about quality not quantity: a site owner needs to know their registrants are real. They gain more from a few truly committed users who are willing to evangelise the product, than hundreds of people or robots with no particular interest. This is also a good argument for Opt-In.
If you've signed up to your favorite charity, be thankful they require verification: by doing so, they *won't* be wasting your donations on sending communications to non-existent or ungrateful recipients.
3. Re-registration abuse
Many sites run a forum, voting systems, polls or other user-generated content. As user-generated content can be intentionally abused by the users moderation is a necessity with these systems. Forum trolls, rating abusers, and poll-skewing can all be simply addressed by requiring users to validate each account they register with the website.
There are no foolproof countermeasures against a really malicious user, but the tedium of having to register several email accounts is often enough to deter the more petty digital criminals who are generally more numerous. The negligible time and effort each users puts into activating their accounts goes a cumulatively long way towards preventing abuse. Every activation made counts towards a moderator that doesn't need to be employed.
4. Mistaken spamming
If a user registers with an email address they don't own (even accidentally) and that address is never confirmed, the website might go on to inundate that email address with messages. Confirming the owner meant to use the email address they provided just ensures you don't receive irate calls from users who have no idea why they're getting your emails.
There are almost certainly more perfectly valid reasons I've missed.
On the flip-side to all of this there are many sites out there that send activation emails unnecessarily. Developers should take care they don't put up unnecessary barriers to users doing what they want:
- Weigh up the benefits of knowing your users are real but risking conversion drop off. For example you're going to have to heavily moderate the comments system of a busy site anyway, is activation really going to help that much?
- Try and use other methods of verifying the user is real before resorting to activation emails. Prevent bots with captchas or Turing tests. Get users to enter the same email address twice as a confirmation to check they got it right. Perhaps even try one of those scripts which contacts the user's mailserver directly to verify the address.
- Don't rely on the activation email to do all the work. Users should be told they should expect an email and what to do if it doesn't arrive. Even an activation email can be junked by someone not expecting it. One of the reasons for the backlash against email activation may well be because its so apparently unnecessary - users may also appreciate being told how their activation helps: reducing costs, recovering passwords etc.
- Make your activation processes efficient. If a user attempts to access protected-page-A.html, make sure the act of clicking "activate" takes the user to that page immediately on success - don't throw them to the account area or somewhere else. That "Welcome to your account area" message is well-meaning but ultimately interruptive if it diverts the user.