A lot of sites seems to have users sign up using an email address and password and nothing else. The admirable goal is to minimize the friction in signing up.
But it seems like that can invite a pretty serious issue that I've been callling "email squatting".
The problem is that these sites don't verify that the person who signed up with a particular email address is, in fact, the legitimate user of that email address.
Consider someone signing up with my email address: foo@bar.com. Now I'm not going to be able to use that email address, because it is already taken. Worse, if messages to that account, such as invitations, the attacker can accept them, since they typically see the invitations on the site in addition to it being sent to the email address.
As the legit user, I might see the invites, but won't be able to log in at all. Worse things can happen: once the attacker signs up, they could make this email address secondary and add another, primary address so that they see all of the messages.
Here's a solution:
Rather than asking for an email address and password on the front page, have a "Try It" button and a box for the user to enter an email address. When they click on the box, the system sends email to that address with an "signup" link, signed with an encrypted hash of the email address.
When the (legit) user clicks on the link, they come back to a signup page, the system checks the encrypted hash and we're good to go.
I realize this adds another step, but the hijacking problem is real. For sites dealing with any sort of sensitive information, it needs to be dealt with.
Are there better solutions that have less friction?
Or am I just being overly paranoid?
