Compared to login or password reset, you rarely see the email validate before register flow, especially for mobile apps etc. That makes it pretty hard to make the case that this needs to be actioned from a security perspective when even the big companies are not following it either.
i think these days the best practice for mobile apps re retention (other than sso or passkey) is to just ask for an email, then from the validate link continue with register
reason being that more steps to register means more ways people are likely to drop out of the flow, and this is basically about as short as it can be
when the user has validated their email, then they’re more invested so they are more likely to complete
that also fits nicely with what we’re talking about with good security
Just to clarify, would you mean to have the email/validate stage as part of the flow to access the app, or let them continue with just the email with a limited functionality?
either… some apps have just started to do single factor login with just email, profile options can be optional, if there are required fields or terms of service to agree to then that can come after email validation
Compared to login or password reset, you rarely see the email validate before register flow, especially for mobile apps etc. That makes it pretty hard to make the case that this needs to be actioned from a security perspective when even the big companies are not following it either.
i think these days the best practice for mobile apps re retention (other than sso or passkey) is to just ask for an email, then from the validate link continue with register
reason being that more steps to register means more ways people are likely to drop out of the flow, and this is basically about as short as it can be
when the user has validated their email, then they’re more invested so they are more likely to complete
that also fits nicely with what we’re talking about with good security
Just to clarify, would you mean to have the email/validate stage as part of the flow to access the app, or let them continue with just the email with a limited functionality?
either… some apps have just started to do single factor login with just email, profile options can be optional, if there are required fields or terms of service to agree to then that can come after email validation