|
Chris - 2016-03-17 14:17:27
As usual Dave, great and easy to follow tutorial.
Something in addition to the totorial, if you are using an email validator don't forget that a properly formed email with all the other credentials is a great start but is not complete proof of validity.
If you are setting up a subscription service, forum, or some other system that may require the email address as proof of life don't forget to verify that the email address owner is on the other end. Simply verifying validity using the API and then allowing login with the email doesn't prove that the person (or bot) using the email is the person signing up and logging in to the system. Be sure to send an email to the address with a link (container random key param) to a landing page that looks for the key as proof someone received it and followed some directions... and still that could be automated. At least you would know that it is not an innocent bystander's email.
I think a current example for this is the Ashly Madison hack where emails used on the site were not verified. It is expected that many emails on the system were inserted by hackers or others using another person's email address.
cnet.com/news/you-can-look-but-ashl ...
Manuel Lemos - 2016-03-20 08:26:26 - In reply to message 1 from Chris
You are right, you can make as many checks as you want and still the email address not be valid because the destination mail server may accept messages and they still be bounced later.
Sending a verification email is a more reliable way of verifying if the email address really is reachable.
On the down side, it may annoy users because they may not get the verification email and they need to wait may be hours to figure they need to ask again.
A less annoying way is to use social login, I mean allow users to register or login with their social networks accounts. Usually those accounts have already validated the user email address.
That is the alternative method allowed in the PHP Classes login. You register and login with accounts on Facebook, Gmail, Github, Yahoo, Hotmail and even StackOverflow.
The users do not even have to pick a password. They can login immediately during registration.
Dave Smith - 2016-03-21 05:23:59 - In reply to message 2 from Manuel Lemos
Using social media accounts actually eliminates an authentication factor, so if you are trying to protect access to sensitive information or areas on a website, using them is the worst possible idea.
Using these universal login systems do make it much easier on the user, however a compromised account also gives access to multiple websites which use these for authentication.
Dave
Manuel Lemos - 2016-03-21 06:22:28 - In reply to message 3 from Dave Smith
Yes, that is true, that may happen.
But isn't that the same when a email address is compromised? If a email address is compromised, the attacker would not be able to access all sites that the person has accounts?
Dave Smith - 2016-03-21 18:12:58 - In reply to message 4 from Manuel Lemos
Just knowing someones e-mail addy does not get you access to their accounts. If the e-mail account is compromised, then the attacker would be able to reset passwords on sites that use the e-mail address as the login, an exception would be the sites that also require a personal Q&A before any reset action takes place.
The recommendation to users is to have a different password for each account, that way if one login/password pair is compromised the rest are still secure.
If a social media account is available for authentication, then all the attacker needs is the login/password pair for social media site. Once logged in to the social media account, they will be authenticated for any other account attached.
Just because a site allows authentication through a social media account does not mean the user has to attach it to that site. My recommendation to any user concerned about security is to never use the option to sign in using their social media account, even if the site provides the option to do so.
These universal login systems are a huge security risk and one of the main entry points for an attacker.
We are getting a bit off topic from the article though. Validating the quality of an e-mail address is not the same thing as authenticating a user even though it certainly can be a first step in authentication.
Dave
|