From 4b4998a6f7181eaa5f2c415e470ec1b285c9b080 Mon Sep 17 00:00:00 2001 From: Gemma Anible Date: Mon, 10 Jun 2024 08:40:45 +0200 Subject: [PATCH 1/2] clarify reasons to use a code instead of a link for email verification --- pages/email-verification.md | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/pages/email-verification.md b/pages/email-verification.md index 83042aa..38a3f66 100644 --- a/pages/email-verification.md +++ b/pages/email-verification.md @@ -33,9 +33,13 @@ Some email providers, including Google, allow users to specify a tag that will b One way to verify email is to send a secret code stored in the server to the user's mailbox. -This approach should be preferred over using links. People are increasingly less likely to click on links, and some filters may block emails with them. Using links also limits what device the user can use to create an account (eg. the user doesn't have access to their mailbox on their phone). +This approach has some advantages over using links: -The verification code should be at least 8 digits if the code is numeric, and at least 6 digits if it's alphanumeric. You should avoid using both lowercase and uppercase letters. You may also want to remove numbers and letters that can be misread (0, O, 1, I, etc). It must be generated using a cryptographically secure random generator. +- People are increasingly less likely to click on links. +- Some filters may automatically classify emails with links as spam or phishing. +- Using verification links may introduce friction if the user wants to finish the process on a device that does not have access to the verification message, or on a device that cannot open links. + +The verification code should be at least 8 digits if the code is numeric, and at least 6 digits if it's alphanumeric. (Use a longer code if the verification is part of a secure process, like creating a new account or changing contact information.) You should avoid using both lowercase and uppercase letters. You may also want to remove numbers and letters that can be misread (0, O, 1, I, etc). It must be generated using a cryptographically secure random generator. A single verification code should be tied to a single user and email. This is especially important if you allow users to change their email address after they're sent an email. Each code should be valid for at least 15 minutes (anywhere between 1-24 hours is recommended). The code must be single-use and immediately invalidated after validation. A new verification code should be generated every time the user asks for another email/code. From 331450c67e13e339a4dffe46f76d806051e6f18c Mon Sep 17 00:00:00 2001 From: Gemma Lynn Date: Thu, 1 Aug 2024 18:45:55 +0200 Subject: [PATCH 2/2] wordsmith advice for secure processes Co-authored-by: pilcrow --- pages/email-verification.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pages/email-verification.md b/pages/email-verification.md index 38a3f66..7e46a38 100644 --- a/pages/email-verification.md +++ b/pages/email-verification.md @@ -39,7 +39,7 @@ This approach has some advantages over using links: - Some filters may automatically classify emails with links as spam or phishing. - Using verification links may introduce friction if the user wants to finish the process on a device that does not have access to the verification message, or on a device that cannot open links. -The verification code should be at least 8 digits if the code is numeric, and at least 6 digits if it's alphanumeric. (Use a longer code if the verification is part of a secure process, like creating a new account or changing contact information.) You should avoid using both lowercase and uppercase letters. You may also want to remove numbers and letters that can be misread (0, O, 1, I, etc). It must be generated using a cryptographically secure random generator. +The verification code should be at least 8 digits if the code is numeric, and at least 6 digits if it's alphanumeric. Use a stronger code if the verification is part of a secure process, like creating a new account or changing contact information. You should avoid using both lowercase and uppercase letters. You may also want to remove numbers and letters that can be misread (0, O, 1, I, etc). It must be generated using a cryptographically secure random generator. A single verification code should be tied to a single user and email. This is especially important if you allow users to change their email address after they're sent an email. Each code should be valid for at least 15 minutes (anywhere between 1-24 hours is recommended). The code must be single-use and immediately invalidated after validation. A new verification code should be generated every time the user asks for another email/code.