Account Activation or Not

Ziycon

I'm working on a web application project where all the users signup and login using 3rd party oauth methods, for example FB, Google & Twitter. (No native signup method yet)

I'm trying to make the signup process as quick as possible so I was going to remove the account activation process, so:

Currently

• User comes to the web app.
• Signs up with desired 3rd party authentication provider.
• Email is sent with activation url.
• User clicks on activation url and account is activated.
• User can login.

Proposed

• User comes to the web app.
• Signs up with desired 3rd party authentication provider.
• User can login.

I'm trying to see the pit falls of not getting users to authenticate their account, I would expect a fair chunk of fake accounts would be weeded out on the 3rd party sites that is used for the authentication process.

Also I have the whole app. wrapped in a check to Project Honey Pot which I assume will help limit known spammers from signing up to the web app.

Any advice/insight/suggestions greatly appreciated.

Pelvis

I don't recall ever getting an authentication email from a website if using Facebook or Gmail to login as a new user tbh. I would have thought that was the point?

Goodshape

Your proposed solution sounds fine. With the third party auth from a trusted provider, that should be enough to confirm the persons identity (insofar as it needs confirming for your service, I presume).

The additional email confirmation step would just be a nuisance to your users. Even without the 3rd party auth, getting a fake email address for a signup is as easy as googling "fake email address". It's security theatre.