Email as a login 1

[Pav1977]

Hello all,

I putting together a small system where the users put create their login and are asked to use their email for that purpose.

As it stands now - after sucsessul account creation the users can log in with their email address.

What I'm worried about is that they can login without confirming that they have access to the email given by them (that becomes their login) this is something I overlooked it in v1 of the design and I'm worried that this could breach some laws and create a potential for 'identity teft'.

What do you think I should do - redesign (a bit of a time pressure on that) or is it acceptable to leave it as is.
If anyone knows about systems like this could you give examples in your postings.

Cheers

Now my

 

[damber]

If you want to validate that they have given you the correct email address that they have access to, then (for a simple solution) consider the following steps:

1) Create a random key (e.g. 2kd983jfue834 etc - unique to each user) and store it in their User record (don't show the user)
2) Set the user status to indicate that they are registered, but not yet active and are waiting confirmation of their email
3) Send email with link to activation page with a query parameter of the key you created above and their email address
4) When user clicks link it goes to the page and activates their account (e.g. changes user status to indicate they are fully active) - you could ask for their password again at this point if you like.
5) The login script should check the user status and only allow login for the relevant status

This will require modification to your User Table, the Login script, the registration page and a new activation page.

That's the basic gist of it, there are slightly different ways, but that's one of the most common.

If you need help with the technical implementation of that, then go to the relevant forum and post what you think should work / have tried.


A smile is worth a thousand kind words. So smile, it's easy!

 

[Pav1977]

Hi,

Yes however my problem at this statge is that idealy I'd like to avoid this additional work for a while and I'm just thinking if it breaches any laws and if it's acceptable not to check for the confirmation of the access to the email account?

Thanks again for your positng it's very useful to have it broken down like this - I may need that if I decide to go ahead with it.



Thank you

 

[damber]

If you're in the UK, check out the Data Protection act.

However, you will only be responsible for the data that you hold directly, or the data that you influence - e.g., if other sites use your information (in particular the identity aspect), then you are opening up yourself for some problems. It's unlikely users will be able to steal someone elses identity outside of your site just by usurping your flimsy security, so it's really your own sites identity that is at risk.

You can just view the email address as their chosen username, therefore they can use anything (it doesn't matter) - however if you decide to use that username in the context of a real email address (e.g. send them emails about their account, etc) then it won't work... you'll get angry recipients contacting you as to why you are spamming their email address.

Simply, you need to provide adequate security for that data otherwise your users (and email address owners) have a right to bash you around the head with a big club, probably with rusty nails in it too.

In any case, legal or not, it's a bit naive to expect nobody will ever try to misuse your application - even in a small closed environment (which the web certainly is not), people (and spambots) will do their best to circumvent security for their own ends. Do you want that?

So, it's unlikely you'll have the police knocking on your door if you don't do it, but you're only creating problems for yourself if you don't. Plus it isn't that difficult to do... maybe 10 lines of code in the registration script, a couple of extra db fields, a few lines in the login page and a small activation page. (of course that's for the basic version.. but it's still better than nothing).



A smile is worth a thousand kind words. So smile, it's easy!