Why make new sign-ups to my SaaS verify their email?

We’re currently working on the customer sign-up/“onboarding” for Feature Upvote. We’ve been debating why and how we should do email verification for new customers.

Pro:
So far the main reason I can think of is to ensure that customers entered their correct email so that if they forget their password in three months time they can use the “reset password” option.

Con:
When new signups need to switch to their email, there is a good chance they’ll be distracted by their inbox, and we’ll lose their attention, and they may never continue our onboarding.

Are there other important reasons for doing email verification? Do you do this in your SaaS?

I don’t and haven’t noticed any problems with it. I think for the most part people have it set for auto complete anyway, any positives are out weighed by the negatives of breaking their flow when they are just trying to work out if they can get benefit from your tool or not

There’s an intermediate option where you can continue with your onboarding process without requiring e-mail validation, but then inside your app (is it an app?) keep some kind of alert or notification that their e-mail hasn’t been validated yet and they should click the link you sent to their email when they can. I’ve seen this type of system on other places, but can’t recall where…

This should give you a bit of both worlds. You’ll still get your customers e-mail validated but don’t break the onboarding flow.

This I like. We’ve gone ahead and implemented this, and it works nicely.

We don’t have “email verification” per-se but we do auto-generate password and send it to the email in the account. User can change password at any time.

pro: no spammers, real email address=real lead, “reset password” option.

con: cannot think of any.

I don’t feel as strongly about this as the site itself, but it seems that sending a password via e-mail is a viewed as a bad practice: http://plaintextoffenders.com/faq/devs

I’m just about to launch my SaaS which is an alert messaging system and that doesn’t require the subscriber to verify, however the contacts have to verify their contact details to ensure we aren’t delivering to the wrong user (typo) and for me to avoid someone spamming someone as a “contact”.

The rationale is that users have a tendency to reuse their passwords - and it’s very true, but when you generate a temporary password for the user, this issue is not a legit concern, as you do know for a fact that the user is not using that password for anything else.

Sending the user their own passwords by email is a major security issue. Sending a newly generated password isn’t exposing anything beyond the user’s access to your own service, which may or may not be an issue.

In my specific case for trying out adminpanel-generator project https://quickadminpanel.com/ for free, I have a real problem/pain with un-verified email.

For every registered user we create a space for their admin panel - files, folders, database records etc. And for tire-kickers who don’t actually do anything we are still using that space, need to do some cleanup later to not overpay for storage.

So I’m thinking to introduce email validation, cause more and more free users come just to look around and possibly some of them are even spam bots, still not sure about it yet.

Definitely helps a bit with spam, though not as much as captcha or similar. I usually send the email, but let people in right away. The only thing to consider with this approach is to perhaps limit some functionality. For example, on an app I’m working on, we let you create a project and all that, but you can’t start inviting people to collaborate until you validate your email. This prevents spammer signup and spamming tons of addresses by inviting them to the project. We also limit the number of projects and other things you you can do while not validated.

Like others said above, the pro is people get right in and you get perhaps a little higher “correct” email rate. Also helps a bit against spammers, though good spammers will automate link clicking for email addresses.

We have a “hidden” email verification for trials at https://www.jitbit.com/ here’s how it works:

• User signs up. A welcome email with a link is sent to them.
• User is redirected to the app immediately, everything works, except for some “dangerous” features that can be used by spammers (you can’t create more than X users, you can’t import a zillion data etc. etc.) and we have a hidden “unverified” flag in the database next to this account.
• Once the user clicks any link in our emails (the “welcome” one or any followups) - the hidden flag is removed from the database and the acount is fully operational.

this way we don’t disrupt the sign flow AND we keep malicious users and automated trials away.

In my app I do not validate E-mails, but I intend to change that. The problem is that many people seem incapable of entering their E-mail correctly, which means that one day they will forget their password and E-mail password reset will not work.

I would strongly suggest NOT waiting for the E-mail to be delivered, though. Many systems out there use greylisting: delaying the first E-mail from a new source by up to an hour. You really don’t want to make your user wait for an hour, or you might lose that user. So, I’d say let them in, but still try to verify the E-mail.

Regarding passwords in E-mails: come on, this is a disaster on so many fronts. You shouldn’t even have the user’s password in cleartext, much less send it in an E-mail. Never ever do that. Use SHA512 + salted bcrypt or something comparable for passwords.

Recently on Twitter, Rob Walling shared his experience on this theme:

I’ve never required email verification. It was never enough of an issue that we needed to add the friction.