[Owasp-leaders] email verification

Paweł Krawczyk pawel.krawczyk at hush.com
Thu Mar 16 21:16:05 UTC 2017


On 03/16/2017 08:47 PM, Ali Khalfan wrote:
> I'm interested in soliciting opinions regarding e-mail address
> verification when users enroll in e-banking/e-learning/e-government
> services.  Should this always be a necessary step that a user should
> verify that they own the e-mail ?  
Hi Ali,

The primary reason for verifying the email is purely functional - people
make mistakes and if they enter their email with a typo, they may lose
access to the account when it's most necessary - e.g. when they forget
their passwords. With banks it's a slightly different story because most
of them will not rely on email for password reset  but rather employ a
risk-based, human-driven process through a call center based on a number
of sensitive information known only by the client and the bank. Websites
where an email is the *only* verifiable bit of information they have
from the user are much more keen to verify that the email is indeed
working and under the control of the user.
>
>
> what would be the risk if the user's ownership of the e-mail is not
> verified?   I know this may sound like an obvious question, but I keep
> seeing many critical services (such as e-banking) where users' ownership
> of an email address is not verified.
>
>
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders

-- 
Paweł Krawczyk
+44 7879 180015

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20170316/bed26a28/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 862 bytes
Desc: OpenPGP digital signature
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20170316/bed26a28/attachment.pgp>


More information about the OWASP-Leaders mailing list