I went through this discussion just the other day and I'm questioning if anyone ever reads the whole message in a confirmation email in the first place. The person who signed up most likely read a message after the sign up that they have to confirm their email and all they are doing now is trying to get access to their account.
Most users are familiar with this process and will instantly click the link in the email and will never read the expiration date, and if they do they will probably ignore it. An unaccepted invite that never expires is an unnecessary security risk. If the user never accepts the invite and an attacker later gains access to their email they can then gain access to the relevant account.
Why bother leaving this attack vector open for users that aren't even using your software?! There isn't a one size fits all approach, but if there's any doubt I'd lean on the side of caution. Someone might argue that once a user signs up if their email is compromised that the attacker could easily gain access to their account by changing their password.
This is a separate issue and possibly a good reason to consider other security measures like two factor authentication. If the link has expired, I think the user should first be taken to an informative page letting them know that the link has expired and then asked to log in to take them to the respective flow.
If the user is authentic, it gives them a good idea of what happened, leading to a good way to find design principle. Sign up to join this community. The best answers are voted up and rise to the top. Stack Overflow for Teams — Collaborate and share knowledge with a private group. Create a free Team What is Teams? Learn more.
Should email verification links expire? Ask Question. Asked 8 years, 10 months ago. Active 1 year, 8 months ago. Viewed 16k times.
Improve this question. Emanuil Rusev Emanuil Rusev 1 1 gold badge 4 4 silver badges 9 9 bronze badges. There is a UX aspect to this problem, but please also see security. Another possibly security related remark: You should think about invalidating old verification links, when the user decides to use another e-mail address. Add a comment. Active Oldest Votes. Grasso had applied for the "iPod" trademark which he planned to use for Internet Kiosks.
However, in , he assigned it to Apple. We use cookies to give you the best possible website experience. By using WebDevelopersNotes. Has my email expired? Sponsored Links. Why is email so hard to get? How do I get a URL for myself? Click here to ask an expert. Peter Wong on December 19th, pm What will happen when the Gmail account has expired?
Manish on December 19th, pm Peter Wong, The username will be available for another user. Shiferaw on January 31st, pm How can I update an expired Yahoo email account? My email address no longer exists now. Let me try. It often indicates a user profile. Log out. US Markets Loading H M S In the news. Prachi Bhardwaj. To access confidential mode, users of the free Gmail service that is, non-corporate accounts need to opt into the new Gmail by going to the settings cog in the top-right corner and selecting "try the new Gmail.
Once you've selected the new Gmail design and it updates, hit "compose" to start a new email, and you'll see this padlock icon at the bottom of your window. When you click on the icon, a pop-up window will appear with two options: set the expiration date, and decide whether you want it to be passcode protected.
Your expiration dates are limited to the options Google gives you, meaning you can't freely choose when you want it to disappear. I chose to have my email expire in one day and said yes to passcode protection. When I hit "save," the email turned blue. I tried to send it right away, but because I chose to protect it with a passcode, Gmail prompted me to include the recipient's phone number so it could send the code to them via text when the time came. The email appeared in my other inbox just like any non-confidential mode email would, except there was no indication of an attachment.
The real difference was noticeable when I opened it though. When the recipient hits "send passcode," a Gmail-generated code is sent to their phone via text.
0コメント