The reasons for maintaining verified email addresses are:
- Allowing customers to perform automated user-related actions, such as reset a forgotten password without manual intervention from our support staff.
- A contact point for important user-specific information, such as unusual activity notices.
We do not use user email addresses for product or service information. Product or service information would go to the admin, tech, or billing email addresses for the account.
The process works like this: Steps 1 through 4 have jpg attached below
0) Upon login, uControl detects an unverified email address.
1) uControl prompts the user to confirm or update the email address. (1Confirm)
2) uControl prompts the user to check their email to continue. (2Confirmed)
3) In the body of the sent email message, there is a clickable link to verify their email address. (3Verify)
4) uControl prompts the user with a message that their email address is now verified. (4Verified)
At which point they can log in normally. See attached screenshots for what a customer sees at each step.
There 2 limits on the link in the email message:
- It can only be used once.
- Must be used within 1 hour of being issued.
These are both security-related limits based on best practices for one-time passwords (which is what the link really is).
There are 3 triggers:
- The email address has never been verified (new user or a very old user).
- The email address has been changed and not verified yet.
- It has been over 180 days (roughly 6 months) since the email address was last verified.
The expiry time was chosen based on a comprise between maintaining valid email addresses and not bugging the customer too much, thus two mouse clicks twice a year seemed acceptable.