Configuring e-mail confirmations
It is recommended to use all kinds of e-mail confirmations Kentico provides. The e-mail confirmations protect the users from being subscribed to mass e-mails or having their passwords changed without their knowledge.
Password change confirmation
You can allow the users to retrieve their passwords (or be assigned new passwords) if they forget them. It is a good practice to require confirmation from the users that they really want to change their passwords. Otherwise, if passwords were changed automatically after clicking the Forgotten password link, other users could abuse this feature to lock the users’ accounts. Although the system would send the users their new passwords by e-mails and they would be able to log in with the new password, this would be very annoying for them.
To require the users to confirm the password change, check the Reset password requires e‑mail approval option in Settings -> Security & Membership -> Passwords.
You can learn more about forgotten passwords in the Forgotten password topic.
E-mail confirmation for newly registered users
It is recommended to require the users to confirm their registrations on your website via e-mail. This protects the users and their e-mails from identity thefts – it prevents other users from registering with someone else’s e-mail and then act as somebody else.
To require the users to confirm their registrations, check the Registration requires e-mail confirmation option in Settings -> Membership & Security.
You can find more information in the New user registration approval and e-mail confirmation topic.
Administrator’s approval of newly registered users
You can configure, that after users register on your website (and confirm the registration via e-mail), their accounts will not be activated immediately. The system will require the site administrator to confirm their registration. This is useful for protecting the system from being overwhelmed by fake users and spam bots and it also allows the administrator to verify the users’ identities and the account types they created.
Using this feature will improve your website’s security, but it can also significantly slow down the registration process and fend off potential users. It depends on the purpose of your website and on how important the true identities of users are.
You can find more information in the New user registration approval and e-mail confirmation topic.
Double opt-in
The double opt-in functionality, also referred to as confirmed opt-in or closed-loop opt-in, adds an additional security layer to user subscriptions. When users subscribe to receiving mass e-mails in some module, the system sends a confirmation message to their e-mail address first. Only after the users confirm the subscription by clicking the link included in the message, will the system add their addresses to the subscription mailing list.
Using this functionality is much recommended, as it protects the users from receiving large amounts of unsolicited e-mails without their knowledge. It eliminates the cases when someone submits for subscriptions incorrectly typed e-mail addresses or someone else’s addresses out of malice.
You can enable double opt-in for these modules:
- Blogs - Allowing users to subscribe to blog comment notifications
- Forums - Managing forum subscriptions
- Newsletters - Enabling double opt-in for newsletters
- Message boards - Enabling message board subscriptions