Geek Answers Handbook

Is email verification the wrong idea

In my registration process, the user is registered, they receive a confirmation link by email, and if they click on it, only then their account will be verified. But is this verification method too simple for bots?

I think the email can be created by the bot, but for sure, if the check just clicks on the link, it can also be automated by the bot. I am not sure, since I did not do this and do not want to check it just to know, but my question is that this verification method is not corrupted?

I am going to send the verification code to the user in the form of text that they would have to copy / paste manually into the form and the form is protected by captcha. Is this a better idea? any flaws with it?

+6
security php registration
source share
7 answers

Most of the suggestions relate to checking emails and using CAPTCHA, which of course you should do, but keep in mind that none of these methods are completely bulletproof.

Email Verification

The bot can easily "click" link to links in any email. Copying and pasting something will be a little more annoying for the author of the bot, but not much. Usually an email check is an email confirmation.

You are checking if the email can be controlled by those trying to register, but, of course, since the email is usually sent in plain text over untrusted TCP and relies on insecure DNS, until we all use DNSSEC and encrypt all traffic it will be easy to sniff emails and spoof servers and clients. It’s important to understand that using email verification, you get only a certain degree of confidence that the person who or what you are talking to is really the user of this email address.

Turing test

Answering the question that only a person should know the answer would be even more annoying, but given that you probably would not have an infinite number of questions, the bot author could redirect an unknown question to a real person and use cached answers if any question is repeated more than once. Answering the question "what is 12 + 8," as I saw on some sites recently, since the Turing test is completely counterproductive, since this question is actually easier for bots than for people. Probably the most popular Turing test for this is CAPTCHA, but here you should also understand that they can be fooled.

First of all, people demonstrate CAPTCHA workarounds, for example, see the RECAPTCHA section for talking to DEFCON 18. Many CAPTCHAs are much easier to decrypt robots, because they are generated by algorithms that are trivial to the contrary. The reCAPTCHA distortions are also quite simple, but the words they use are real scanned words that were difficult for OCR, so in principle it should be much more difficult for bots, but this is not always the case.

In addition, it is possible to display the cards that you want to guess on other sites, and give people the answer to them. There is also a black market for people who actually solve captchas, so if your bot author doesn't mind paying something like two cents for a dozen, then no matter how hard it is for people, actual people will still solve it.

Bottom row

The bottom line is that using any of the methods to stop the bot will always be a compromise regarding how the bot owner (spammer or anyone else who wants to register a lot of users in your system) will be ready to spend time, effort and money to do this , and how much inconvenience for your users you will endure, because ultimately you will never be able to do an automated test to tell people and bots separately, without actually causing annoying people and alienating people from the border ennymi capabilities (does anyone ever tried to guess the audio version of reCAPTCHA?), and yet your bots can actually work for the people, so do not actually robots and cyborgs, so to speak.

This is an arms race for which your honest users pay a price. Remember this.

+8
source share

Questions are what you are trying to verify? When you send a link to an email address, you may know that the person who registered this account has access to the email address. He says nothing about them except this.

So, bots can create an account and use it to register. If you want to stop the bots, then yes, captcha is what you need to add. Please note that when adding code to copy / paste, little needs to be done for the bot, nor will it help you with anything over the conversion.

+3
source share

As always, safety and convenience usually compete with each other.

The link in the email simply confirms that it is an active email address. Yes, for bots it's easy to handle. But is your service so valuable that bots will attack it?

CAPTCHA is always a way to make your users human. Additional coding and the frustrations associated with it are a compromise.

In the end, keep things as simple as possible, but not easier.

+1
source share

As already stated, you just have a CAPTCHA check.

My suggestion is to do a person verification before your application creates a user account and sends an email confirmation. The added value of your site cannot simply be forced to simply spam check emails and create false expectations for checking accounts.

Nothing wrong with the link if you do this.

+1
source share

Yes, bots can enter emails and check responses. I also heard about how bots are better at recognizing images and responding to captcha, although I can’t say for sure how good they are. If you are really really worried, I would go with:

  • Email Verification
  • security code
  • Simple random questions (How many ears / fingers do most people have?)
  • The cell phone number that sends the code via SMS

The latter may be the best in eliminating bots, but it will also limit who subscribes to your site. In addition, the more validations you have, the more you annoy users, and the more you increase the barriers to signing them, which can also be a pretty big drawback. Personally, I believe that captchas is a good balance of bot protection against user inconvenience.

+1
source share

Do you only check email or complete registration?

I always check my email account. then, after verification, complete the registration process.

so add captcha at the email verification stage.

In other words, ask the user to enter their email address, enter captcha and submit the form.

Thus, only real people receive a sent confirmation email.

This does not prevent human bots, of course.

DC

It also means that you do not need to store bad / bad credentials.

One of the problems is that the user checks one email address and then changes it during the registration process, as I understand it.

When a user sends his email address, the data is not saved at all. Instead, I use $validation_code = md5(trim($email)+$secret) to generate the verification code. Therefore, they cannot change the email address in the actual registration form. The email code and verification code are wrapped as a hidden field to the end to confirm the email address. if the email address is changed from a verified one, registration will fail because md5 will no longer match.

DC

+1
source share

I'm having trouble checking email and testing. If you want to authenticate by email, try EmailE2E.com for free.

You can send and receive emails from randomly created mailboxes through the API.

It is ideal for testing Firebase, Amazon Cognito, or other OAuth providers that use email verification codes during registration. He also has clients in Java and JS.

0
source share

More articles:


All Articles