Configuring email confirmations
It is recommended to use all types of email confirmation that Kentico provides or allows you to implement. The email confirmations protect the users from being subscribed to mass emails and inform them of potential malicious attempts to change their passwords.
Password change via the Forgotten password functionality
When changing their password through the Forgotten password functionality on the Logon form web part, users are required to change their password through a password change link sent to them in a change password request email. An additional confirmation email can be sent upon a successful change of the user’s password if the Send password reset confirmation email option in Settings -> Membership & Security -> Passwords is enabled.
To learn more, see: Enabling password resets
Email confirmation for newly registered users
It is recommended to require new users to confirm their registrations on your website via email. This protects the users and their emails from identity theft – it prevents other users from registering with someone else’s email address.
To require the users to confirm their registrations:
- MVC sites – implement registration functionality with email confirmation. See Enabling user registration.
- Portal Engine sites – enable the Registration requires email confirmation option in Settings -> Membership & Security. See New user registration approval and email confirmation.
Administrator’s approval of newly registered users
For Portal Engine sites, you can configure the system to keep the accounts of newly registered users inactive until a site administrator confirms their registration. This is useful for protecting the system from being overwhelmed by fake users and spambots and it also allows the administrator to verify user identities and the account types they created.
Using this feature will improve your website’s security, but it can also significantly slow down the registration process and fend off potential users. It depends on the purpose of your website and on how important the true identities of users are.
You can find more information in New user registration approval and email confirmation.
Double opt-in
The double opt-in functionality, also referred to as confirmed opt-in or closed-loop opt-in, adds an additional security layer to user subscriptions. When users subscribe to receive mass emails, the system sends a confirmation message to their email address first. Only after the users confirm the subscription by clicking the link included in the message will the system add their addresses to the subscription mailing list.
Using this functionality is strongly recommended, as it protects the users from receiving large amounts of unsolicited emails without their knowledge. It eliminates scenarios where users submit incorrectly typed email address for subscription, or subscribe someone else’s address out of malice.
You can enable double opt-in for the following modules:
- Newsletters – Enabling double opt-in for newsletters
- Blogs – Allowing users to subscribe to blog comment notifications
- Forums – Managing forum subscriptions
- Message boards – Enabling message board subscriptions