When someone registers on a website with their Email addresses, usually they are asked to verify or confirm their email by clicking on a link in a email address that they are sent to. Same goes for subscribing or unsubscribing to a mailing list.
Usability wise, this is great. It's very quick and easy to do, I can't think of anything that beats it.
I am not sure if I am overthinking things, but I just wanted see if I missed anything or misjudge anything.
So as far as I know the purpose of email verification/confirmation is
With the current popular implementation of just one link that they click and that verifies the email instantly, someone could just brute force the verification link and circumvent this whole step.
Just visit verify.php?code=YOURBESTGUESSHERE
and try all kinds of different codes.
An attacker could now make the following exploitations:
I am not sure what the benefit of the latter would be, and it seems it would be much easier to just create a throw away address for this purpose, but I just wanted to put it up there to be complete.
My Questions:
What are best practices for this whole thing, and how much worry and effort does really need to be put towards it? Risks vs. Benefits / Security vs. Usability... ?
Verification emails are the core of every healthy ticketing database. If there’s any action that requires users or clients to provide their email address or a phone number, it should be followed by a verification email.
Another example of email verification-themed spam: Another example of email verification-themed spam: This is to inform your that we are doing account verification and your account ******** is included in our I.T account verification list please kindly verify your account below
Copy or write down the verification code from the message. Return to the window that is asking you for the verification code. Enter the code and follow the instructions. When you see a message asking you to make sure you can receive a verification code, verify or add new security info.
Since we're going to rely on your email address being accurate to give you access to your account, we need you to confirm that you didn't use a fake account to sign up for Parsec. Confirming your email prepares you to unlock your login attempts in the future.
If the attacker's search space for YOURBESTGUESSHERE
is large enough, brute force becomes infeasible. Use {a code derived from {email address plus timestamp} (which may have arbitrary other stuff, such as a random nonce, incorporated)} fed through a known-good implementation of a known-good one-way hash function.
Ensure the code is only good for a short time (a couple of days, perhaps) after it's used.
Don't leak information when the code is presented - the real user of the code knows what email address it applies to, and nobody else needs to.
You can always increase security, if needed. Think of combining the link with a unique code. So when brute force allowed the to find a link, they still need to enter a random code from the email.
Suggestions like number of attempts would be one of the first I would implement, to avoid system issues (number of request) rather then security.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With