It is recommended to use all kinds of e-mail confirmations Kentico provides. The e-mail confirmations protect the users from being subscribed to mass e-mails or having their passwords changed without their knowledge.
Password change confirmation
You can allow the users to retrieve their passwords (or be assigned new passwords) if they forget them. It is a good practice to require confirmation from the users that they really want to change their passwords. Otherwise, if passwords were changed automatically after clicking the Forgotten password button, other users could abuse this feature to lock the users' accounts. Although the system would send the users their new passwords by e-mails and they would be able to log in with the new password, but this would be very annoying for them.
To require the users to confirm the password change, check the Reset password requires e‑mail approval option in Site Manager -> Settings -> Security & Membership -> Passwords.
It is recommended to require the users to confirm their registrations on your website via e-mail. This protects the users and their e-mails from identity thefts – it prevents other users from registering with someone else's e-mail and then act as somebody else.
To require the users to confirm their registrations, check the Registration requires e-mail confirmation option in Site Manager -> Settings -> Membership & Security.
Administrator's approval of newly registered users
You can configure, that after the users register on your website (and confirm the registration via e-mail), their accounts will not be activated immediately. The system will require the site administrator to confirm their registration. This is useful for protecting the system from being overwhelmed by fake users and spam bots and it also allows the administrator to verify the users' identities and the account types they created.
Using this feature will improve your website's security, but it can also significantly slow down the registration process and fend off potential users. It depends on the purpose of your website and on how important the true identities of users are.
The double opt-in functionality, also referred to as confirmed opt-in or closed-loop opt-in, adds an additional security layer to user subscriptions. When users subscribe to receiving mass e-mails in some module, the system sends a confirmation message to their e-mail address first. Only after the users confirm the subscription by clicking the link included in the message, will the system add their addresses to the subscription mailing list.
Using this functionality is much recommended, as it protects the users from receiving large amounts of unsolicited e-mails without their knowledge. It eliminates the cases when someone submits for subscriptions incorrectly typed e-mail addresses or someone else's addresses out of malice.