uControl Email Verification
The reasons for maintaining verified email addresses are:
· Allowing customers to perform automated user-related actions, such as reset a forgotten password without manual intervention from our support staff.
· A contact point for important user-specific information, such as unusual activity notices.
We do not use user email addresses for product or service information. Product or service information would go to the admin, tech, or billing email addresses for the account.
The process works like this: Steps 1 through 4 have jpg attached below
0) Upon login uControl detects an unverified email address.
1) uControl prompts user to confirm or update email address. (1Confirm)
2) uControl prompts user to check their email to continue. (2Confirmed)
3) Body of sent email message has a clickable link to verify their email address. (3Verify)
4) uControl prompts user with message that their email address is now verified. (4Verified)
At which point they can login normally. See attached screenshots for what a customer sees at each step.
There 2 limits on the link in the email message:
· Can only be used once.
· Must be used within 1 hour of being issued.
These are both security related limits based on best practices for one-time passwords (which is what the link really is).
There are 3 triggers:
· Email address has never been verified (new user or very old user).
· Email address has been changed and not verified yet.
· Has been over 180 days (roughly 6 months) since the email address was last verified.
The expiry time was chosen based on a comprise between maintaining valid email addresses and not bugging the customer too much, thus two mouse clicks twice a year seemed acceptable.