Hacker News new | ask | show | jobs
by gottam 3485 days ago
better idea:

if user doesnt verify email within a few days, that email "expires" and is removed from the account. Add a message to nag the user to add a proper email to their account.

this removes the edge case mentioned in the article and reduces sign up friction.
1 comments
djs070 3485 days ago
I don't necessarily agree with the article but your proposition does not solve the scenario described, where the owner of the email address gets the emails and clicks confirm out of curiousity or habit
link
gottam 3485 days ago
the problem that the article describes is that an incorrect email was entered at sign up, and the user gets invested in their account, all for it to get hijacked by original the email account owner down the road. Expiring an unconfirmed email solves this.

There's still many other possible scenarios but I think it generally does what the author wants in a not so annoying way.

link
LindenRyuujin 3485 days ago
No, you are incorrect. What you propose wouldn't stop the situation described at all.

From the article:

> What happened?

> Well, turns out that the person that actually owned the jon.smith@email.com was a kid that was curious and clicked the email from TheService asking him to verify his email address.

> He himself forgot about this until a couple of years later when he heard about TheWebsite from some friends, and decided to try it. He tried to create an account and got an “account already exists” error. He used the password reset functionality and that’s that. He now owns the original John Smith’s account.

link