Thoughts on immediate login pre-email confirmation?

(Patrick) #1

A user hits the forum, wants to jump in, then, of course, needs to register. Upon completing the registration, however, they are prompted to confirm their email before being able to do anything on the forum as a user, such as editing their profile.

I completely understand the reasons for this, however I think there is big value in being able to allow a user in immediately, with their email needing to be confirmed in, say, 24 hours. Having them leave the forum, swing over to their email, then back to the forum seems like an easy way to turn people off returning…I like the idea of letting them in right away, while we have their attention.

Any thoughts on how to go about implementing this?

(Kevin P. Fleming) #2

If your goal is to maximize the opportunity for your forums to receive spam, you’ll be well on your way :smile:

(Jeff Atwood) #3

This already exists, use the “Invite Friends to Reply” button at the bottom of each topic, that is exactly what it is designed for.

Users of higher trust level can invite new users in who can begin posting immediately. You can also see this on the Invites tab on your user page, where you can invite people to the site (rather than a specific topic) as well – we got this implemented didn’t we @eviltrout?

That’s why it is a trust function. If we trust you then we can probably trust your friends. And the record of those invites shows up on your user page forever, so if you invite jerks…

(Robin Ward) #4

Yup it should be on your invites page as a button.

(Patrick) #5

Thanks for the quick replies, @codinghorror, @eviltrout. You’re the best and discourse is off the charts wicked. Thank you for the remarkable system!

That invite functionality is sweet-sounding, good planning, and will definitely be useful for users to invite other users. The forum will be for a niche group, though, and direct invites to people I personally know won’t be a lot. But I’ll be promoting the forum on social networks and whatnot.

To be clear, I completely recognize the potential spammer issue, as well as the general benefits of having users verify their emails. What I’d like to do is set-up the registration as I mentioned, with a delayed confirmation email, and then monitor the pros vs cons, and the extent to which spammers become an issue. I can always revert back to the confirm-email process if/when it’s clear the other plan is a bad idea.

So, since that invite functionality, by-passing an immediately required click on an email confirmation link, is coded up already, is it conceivable that I could fairly easily implement that same functionality for general registrations? And with the invite system, are those users still at some point required or prompted to confirm their email address?

(Jeff Atwood) #6

We have no plans to do anything that you just described. Sorry.

(Patrick) #7

I don’t imagine you do, and that’s completely understandable! My question is rather, in your opinion, if this is a fairly simple customization/modification for me to try out myself (as wrong/stupid/irresponsible as it may be!) :smile:

(kmg90) #8

Doesn’t using Mozilla Persona’s or any other OpenID-like system already eliminate this problem?

(Matt Bidinger) #9

I’ve done this on forums that get a few dozen registrations, a few dozen threads, and several hundred posts daily - it worked great. Spam wasn’t a problem, as we had automated systems to filter known spambot IPs/Emails against SFS and when banning users we also placed a temporary ban on their IPs (and cookied them so when they came back with a different username/email/IP we’d get an alert that it was a previously banned user). The automated system was maintained to filter spambots as xrumer continued advancing, and the manual spammers were managed without problem by the moderation staff - only a minority of humans bothered trying to spam, but we blocked thousands of bots daily (site gets a few million visits monthly). Email never helped us with spam - trivilal for bots to automatically generate email accounts, trivial for bots to automatically verify email, too easy for humans to create new free email accounts, and unreasonable to block free email providers as so many legitimate users use them.

I had customized the forum so guests could see member only buttons/links so it was clear how to take part - if guests clicked member only links they were presented with a nice overlay for registration/login. Then, if they registered they could immediately do most basic functions like respond to that post that inspired them to register, start a thread, or fill out basic profile items - most non-basic functions remained disabled, and a consistent prompt message was displayed at the top of every page encouraging them to confirm their email to fully enable their account. Anyone who didn’t post and never returned verification didn’t matter for, those who stuck around verified early on in order to make that verify prompt go away.

This is the sort of solution you want, and it is the right thing to want, as it is the most technically reasonable as well as the most realistic for a modern community based site. @codinghorror should reconsider the approach, and I’ll lay out some further reasons of why not doing so is unreasonable.

The concept that email address is somehow important, or even fundamentally important to a discussion site is folly. It’s a dingle-berry left over from internet concepts of days gone by, when free email accounts weren’t infinitely available and most people used an account provided by their ISP. However, on the internet of today email on discussion forums is only relevant for legitimate users, who want to receive messages from the discussion forum - others just lie or create throw-away emails. For those legitimate users, having a verified email is useful to keep them in touch. For anyone else, especially malicious or disruptive users, it is no sort of hurdle as emails are just too plentiful and easy to come by - they are an infinite resource. Any thought of filtering users based on email is a poor investment of resources - its a rabbit hole you don’t want to go down, as it can never be an effective solution.

So having a users email is only good for one thing - emailing users who want to get email from your site. Those users will be happy to provide a real email, and you don’t have to block them from participating in order to get it from them. In fact, you gain nothing by blocking them, so really it’s a question of why would you want to gate access based on email verification. We chose to only gate advanced user features/functions based on email verify, in order to reward those good users who chose to verify so they felt like they got something worthwhile in return.

So requiring email as some sort of important prerequisite to immediate user participation/satisfaction is just another barrier to encouraging people to be active in your community, rather than twitter/facebook/a million other options they have now. Giving the immediate ability for new users to take part, and experience what your community has to offer first hand… This is your best bet at inspiring guests, converting them to members, and presenting them a value proposition that keeps them around. There is a small conversion window to turn guests into members, and the better your value presentation the more efficient you will convert - platform is a big part of that important community process.

Of course, this is just my perspective, and it by no means has to be the perspective of Discourse development. I do believe the perspective of Discourse development should be one that is reasonably well supported, and when possible clearly justifiable even - they’ve already accomplished a lot of smart things so they demonstrate they place their priority here. I’m not sure I’m on the same page with the current email requirement as the current policy just seems unrealistic against how legitimate/illegitimate users actually treat email in the real world. Maybe there are variables at play I don’t understand, or I am missing an important part of the picture, but registration and user management is a topic I’ve given years of thought to, so I’d hope I’m not entirely in left field here. I’m open to enlightenment for where I’ve gone off the rails.

(Jeff Atwood) #10

Correct, and how do you engage in a conversation if you aren’t notified via email when people are talking to you?

That is as fundamental as it gets.

And yet, participating on twitter/facebook/those million other options all require email registration.

(Luke S) #11

By visiting the site? I understand wanting email as a backup contact method. I also get using it as an extra triplayer to make things more difficult for spambots. I find the idea that some people have that they should be able to do most or all of their forum interaction through email odd. I certainly don’t want all of that cluttering up my email folders.

(Patrick) #12

Thanks @IMOG for the contribution and sharing your experience.

I feel that my overall very basic “thought” here is being overwhelmed and lost/buried.

I do not disagree with the need for email registration, blah blah blah…and that is a big tangent. All I’m saying is that I would like to try the idea of allowing users immediately in upon registration, with them needing to confirm their email address within a specified period of time such as 24 hours, compared to the currently required “immediately confirm before anything else”.

And my main question is whether or not it would be fairly simple to use the “invite friends” code/functionality within the general registration to accomplish this task.

@IMOG hit on this here:

(Matt Bidinger) #13

[quote=“codinghorror, post:10, topic:11223”]
Correct, and how do you engage in a conversation if you aren’t notified via email when people are talking to you?

That is as fundamental as it gets.[/quote]

You are clearly making an assumption. Essentially, “Users engage in conversation dependent upon email notifications.” You may need to question your assumptions, and if you are ever going to do it better before you have a finished product than after. I’m guessing you’ll take the "never option. :slight_smile: To each their own.

Note I’m not saying you don’t know what you are doing. However I am saying that you are making an off base assumption. Many users find email important to engage, many others don’t, perhaps even more don’t care about email notices - looking at open rate and click through data for any site of reasonable size, and in that you would find hard statistical evidence that more people don’t want the notifications than who actively use them. Many have privacy concerns, others don’t want to be bothered when they aren’t on the site, and there’s a million other explanations because internet people are funny that way - they are all different.

Most importantly, we are talking about email verification here, not if you have an email to use or not. Verification doesn’t need to happen before anyone dips their toes in the water - make it easy and apparent to the user and they can verify at their convenience. Even more importantly, email notifications are meaningless for every single user you fail to convert into a full member… If they were going to share some simple insight, but are busy at the time and see they have to activate, they might just not bother ever getting back to it.

Your assumptions are hurting user conversion, when you could postpone email verification at literally no cost (you still achieve the objective of verifying an email, just later than sooner), while still enabling engagement in the community meanwhile. I hope that’s not too strong, but unmistakably clear.

For instance here on discourse, I don’t want to be bothered with email notices. If I’m not on the site, I don’t have time for it and I don’t want to be distracted. When I have time for it, I come back to the homepage and reference the onsite notifications - discourse is really cool about making that thoughtless-easy. I probably have gotten some email notifications, but I haven’t seen them on my PC or phone - I probably went through the trouble of filtering them into trash or spam when I setup my account.

Requiring email registration isn’t being contested. Email verification is the topic. The discussion is about when it occurs and how usable a Discourse site should be until it is complete.

You are doing email verification completely different than the way Twitter and Facebook does it. Worse yet, you are doing it the same way forums have done it since the 90’s.

Twitter and Facebook don’t require instant email verification. They allow you to use most of the functionality of the site, and verify at your convenience. (They do make an ominous claim that some features aren’t available until you verify and you won’t get any notifications, but test this and you’ll find most common functions work just fine). This just so happens to be the path I am encouraging you to consider (since Patrick brought it up), which you are refusing out of hand, while not appearing to give the suggestion a charity of a moment’s thought.

I’m going to take a break here. Frustration isn’t engaging. :slight_smile:

(Matt Bidinger) #14

I agree with you completely Patrick. I get too long winded, and the core of the idea got lost so I appreciate you bringing it back on topic.


(Jeff Atwood) #15

Forum topics are almost always social and opinion based, such as “let’s talk about the latest Britney Spears album”, “what’s the best burger in town”, “share pictures of your pets”, where everybody in the world can have an effortless opinion on the matter.

I mean, forget the spam problem, which is already enormous, but the noise of random drive-by Internet users mindlessly sharing their “opinions” with your forum. Will this make your forum better? In my experience, never. This would be massively harmful. You do not want zero barriers in front of people typing their opinion on a web page. You want them to understand your community and the conversations that go on there before spouting off.

Now compare with the science, data, and fact bent of say Stack Exchange, where barriers to participation are intentionally much lower – because not everyone will have an opinion about how to compile your Java project. A lot fewer people know Java, and the particulars of your weird Java problem, than have an opinion about Britney Spears’ life and music.

On top of all that, what you want already exists through the trust system. Users at trust level 2 can invite other users to participate who don’t have to register at all. They can click a link and start typing. Simply click the “invite” button on your user page, or click the “invite friends” button at the bottom of every topic. (You have not quite achieved this trust level here yet, so you won’t see it.)

Reply button while logged out
"How do I start my new Topic" - UI / UX Improvement Request
(Matt Bidinger) #16

Thanks. That is a perspective I can relate to, even if I don’t entirely agree still for some niches. I see where you are coming from on it though and appreciate your thoughts.

(Kevin P. Fleming) #17

I would take @codinghorror’s comments in a slightly different direction; unlike Twitter, Facebook, etc., on a forum that is attempting to provide a useful service to a particular community, the members of that community expect (in some cases, demand) that the content they see be of at least some value to them, and not be drive-by trolling, uninformed opinions, and other drivel. On sites where you ‘discover’ content and decide on its value to you, a lower barrier to posting is perfectly reasonable. It’s completely reasonable to place a very small burden (or two) in front of someone before they ‘jump into the fray’, to give them the opportunity to ensure that they are doing something that will be useful to both themselves and the community of the site they are joining. It’s by no means perfect, of course, so moderation and other mechanisms are still necessary, but it’s quite helpful.

(Matt Bidinger) #18

Ya, I think that makes sense, especially when it helps to weed people out.

Where I fall off is in many situations where it is fixing a problem that wouldn’t exist. For instance, if you run a community for RC airplanes, is it reasonable to preemptively defend against casual/surfby low quality content contributions? I don’t know… RC hobbyists are pretty niche, most people don’t have an opinion on RC engines, RC electronics, RC upgrades and such. People who end up on that site and don’t immediately bounce for lack of interest are often somewhat relevant to the discussion, because why else would you land on an RC airplane forum?

Where I start to fall in line is in the comparison to StackExchange - codinghorror mentioned that as an example of primarily science/data/fact based technical discussion with intentionally low barriers to entry because it is self-insulating. I see a lot of technical communities as more similar to SE than he does. In the big picture, developers are just programming enthusiasts. The enthusiast segment is a dominant segment, maybe a characteristic trait even, for forum communities. PC enthusiasts? A lot of people have an opinion on the pros/cons of selecting RAM rated at 1600 or 2400, but it doesn’t attract regular folks. RC planes? Most regular folks don’t have opinions on the best engine choice. Vacuum cleaners? Not going to attract a lot of drive by posts with threads like this. Many forums by their nature take on a very strong enthusiast crowd which is naturally self-insulating, similar to SE which is the perspective I was coming at this from.

If I’m talking to my friends about 150L of liquid nitrogen I just bought and the pros/cons of using rice, vaseline or liquid electrical tape to protect the motherboard and CPU from frost damage… I don’t need email verification to keep out the Britney comments. I also don’t need email verification to hassle anyone else that may have casual interest in taking part in that discussion. I got into computers with a casual post on a forum in 2002 not planning to be a permanent resident and I had browsed silently for years, even been on the registration page before but that day for whatever reason I finally bothered creating and verifying an account. 12 years later and they still haven’t gotten me to leave… That first post ended up defining the course of my personal and professional life.

What if I just kept lurking on that fateful day in 2002? Maybe I’d be a less socially awkward geek, I’d probably relate better to attractive females, and my social network wouldn’t primarily consist of people scattered around the globe that I mostly only know from the internet. So ya, maybe email verification could save someone more fortunate from meeting my fate.

(Kevin) #19

So look forward to Discourse!

(Matt Bidinger) #20

So I’ve lurked hacker news as long as I can remember, but I just signed up today.

What is their registration process? Username and password. Not even a password confirmation field, it was very nice and easy to post a comment requesting some specifications regarding the topic of conversation. I didn’t really have to post the comment, but if it receives a response the answer will be of great technical importance… It was easy and quick enough to post my comment that I didn’t bail out.

Possibly worth checking out their registration process:

You can add an email address if you want, but only after you create the username/password, you just have to click on your username in the top right. They list a message there on that page, and its not intrusive and beautiful in its simplicity:
“Please put a valid address in the email field, or we won’t be able to send you a new password if you forget yours. Your address is only visible to you and us. Crawlers and other users can’t see it.”