Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

My nomination - when someone has been invited by email to join the site (e.g in a saas system, one user invites someone else to join their team), then don't make them verify their email!

I see this so often, and it adds no security, and bewilders the user.

When someone clicks through from an invite email, you can assume that they have control of that email so slip email verification, and just ask them for their password.

We modified keycloak to do this and it greatly reduced support calls. It's a mystery to me why it's not out of the box behavior.



Ehhhh, that may not be the email address that the invited user prefers to use (or may not even know what email it was).

For example, in my last (extremely large) company, IT would helpfully create multiple email addresses for us (UUID plus firstname.lastname) and you could also ask them to create one that you're used to using. So if someone emailed me at work, it was not obvious which email they used and if I then needed to use those credentials to login on a different device, I wouldn't know what to use.


In my experience, most companies want it the other way - they don't want you to be able to choose e.g. a personal email address.

I'll admit I'm not familiar with the sort of email system you are talking about, nor the benefits it might provide.


> My nomination - when someone has been invited by email to join the site (e.g in a saas system, one user invites someone else to join their team), then don't make them verify their email!

Password reset emails usually expire after a short time for security reasons. Maybe the extra verification step when accepting the invite is for similar reasons when the invitation isn't accepted quickly? Unlike for password reset emails, you can't assume invitation emails are likely to be opened soon after being sent either.


That's a good point.

The difference with a password reset email though is that it unlocks all of the user's existing data - posts, images, contacts, whatever.

For our invite emails, there is no user data yet, since we are inviting them to join as a new user (in our system - HR SaaS - they are actually a candidate). So there is no exposure in having invite links that work for a week or longer.

In some other use cases, yes a new user will see some sensitive data, e.g. their teammates contact details. In that situation there is a case for very short-lived invite links (just as for password resets).

But still we could do so much better than making them enter the email address again.

I think this is an underdeveloped area of usability in auth systems (that I'm familiar with anyway).


Hmm, but what if I generated a signup email in your name and signed you up for something you didn't want. Seems like a good way to enable harassment and spam.


It's not a spam vector, as you can't control the content.

No different from any other signup email in that sense.


> It's not a spam vector

You could certainly sign someone up for mailing lists that send them a lot of messages that they have no interest in and don't want. It might not be "spam" in the sense of ads, but it's unwanted.




Consider applying for YC's Summer 2026 batch! Applications are open till May 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: