Registration without an email

[User37935]

Currently running XF1.5 (probably updating to 2.x but open to IPB at some point)... wondered what options, if any, exist for user registration without an email address? Either in the core software or a plugin?

For example, providing a mobile number which a code can be sent to? Or some other way to verify via an app? Or not to bother with an email address at all (and not ask the user to validate)?

I'm exploring ideas about more anonymous registration and also to use a mobile verification rather than email verification.

 

[doubt]

Or not to bother with an email address at all (and not ask the user to validate)?

It could have a disastrous consequence. Bots could register by the hundreds.

 

[haqzore]

It could have a disastrous consequence. Bots could register by the hundreds.

100% false.

Email validation does nothing to stop spam. Bots have been able to click email links for a decade+ now.


Ingenious - what is your end goal? Why do you want to even validate a mobile #? What are you going to do with it later?

 

[doubt]

100% false.

Email validation does nothing to stop spam. Bots have been able to click email links for a decade+ now.

I do not have a single spam from "members" Awaiting email confirmation.
(That is 0% spam)

 

[haqzore]

I do not have a single spam from "members" Awaiting email confirmation.
(That is 0% spam)
View attachment 53716

Right, because bots can & do click email validation links.


To the OP - I don't think anyone can appropriately answer unless/until we know what the goal is.

 

[doubt]

Right, because bots can & do click email validation links.

Good on them.
Did they try to register with a valid(can be temporary)address?

Yes:
They can click on the link. I have a new member provided Akismet did not stop them.
They did not click? They cannot spam.

No:
They cannot click on the link(it's invisible for them), cannot spam.

 

[MagicalAzareal]

Shameless plug since this is in "Forum Software" and with a nice title that might help others.

My Gosora lets you register without emails, but that is neither XF or IPB. No mobile activation however. I've never heard of such functionality for those two, even for sites where they would want users to be relatively private due to the sensitivity of the information posted, but you might find something in the market-place, perhaps.

 

[User37935]

Thanks for the replies.

On the subject of not validating a user's email, I switched that off a year ago (as outgoing emails were often bouncing back, one reason I wanted to move away from dependence on email) and the sum total of zero problems have resulted, no surge in spam, no massive numbers of bots registering, because all the other anti-spam stuff is still active (checking Stopforumspam, blacklisting problem countries, etc).

I don't have a specific goal in mind, just exploring other options as alternatives to email, either registering without one (more anonymous route) or validating via mobile (less anonymous route). Just wondered if anything exists to cater for either.

 

[Joel R]

Invision Community (IPS Community Suite) requires an email address for registration.

I'm a little confused though as to your goals. You say that you want anonymous registrations. Email - and fake email addresses - are as anonymous as you can get. Telephone and mobile validation ensures legitimacy and one-to-one uniqueness, which is the exact opposite of anonymity.

 

[haqzore]

Thanks for the replies.

On the subject of not validating a user's email, I switched that off a year ago (as outgoing emails were often bouncing back, one reason I wanted to move away from dependence on email) and the sum total of zero problems have resulted, no surge in spam, no massive numbers of bots registering, because all the other anti-spam stuff is still active (checking Stopforumspam, blacklisting problem countries, etc).

I don't have a specific goal in mind, just exploring other options as alternatives to email, either registering without one (more anonymous route) or validating via mobile (less anonymous route). Just wondered if anything exists to cater for either.

In my opinion, the first step is to decide your "why", and the path to "what" will be clearer.

Why would you want emails? Or mobile authentication? Or anything else?

Are you going to send newsletters? Sale notifications? Text alerts?

Without an active utilization plan for whatever you validate - it's just another barrier to entry for potential users with no benefit to you (or them) after registration.

 

[mysiteguy]

I looked into mobile number registrations a couple of years ago for one of my own boards but decided against it after researching the topic.

With a mobile number registration, the easiest way is to send the notification via an email gateway to their mobile provider. For instance, with Verizon, you would send it theirphonenumber@vtext.com. Sounds easy, right? Nope. You first have to determine which provider they are using so you know which gateway to use. Well, you can't do that with all numbers programmatically because people can port a number from one provider to another - providers do not "own" the number.

You could ask them to click a checkbox next to whatever mobile provider they are using to determine which gateway to send to but there are even more problems with that. For instance. in the USA if they use Straightalk or Tracfone, they are actually resellers and depending on which phone they have their number could actually be using the Verizon, T-Mobile or Sprint network. You can't expect a user to know this.

There are more issues: you cannot possibly list (or even know!) all providers around the world, and not all providers have an email gateway.

Sure, you can write code to use third party API's like clickatell and twilio which do all the heavy lifting for you. They determine how to send it, and do it for you, easy peasy. But the issue with that is these aren't free the last time I checked. The thought of paying for someone to register isn't appealing to me, especially since the current anti-spam tools are geared towards email addresses and won't do you much good against spammers bombing your registration page with phone numbers.

 

[LeadCrow]

It could have a disastrous consequence

I doubt so. Reddit is the largest example of a website that does not require (anymore) an email or email verification to create accounts, just try it.
Nowadays email is no longer the only source of account control, there's openid-compatible systems like facebook connect, google login, discord, patreon, phone numbers/sms verification, face unlock, trust scores from a couple sources...

Making the signup phase troublesome should never be the fullest extent of a webmaster's fight against botted activity. Even successful signups need activity controlled until they exceed a minimum trust threshold or account age.

 

[Sysnative]

We disabled email verification years ago - decent traffic site (100k-200k monthly uniques) and get very little spam. In our experience this had no negative impact on spam, but it does help users register. We do still record email address though, as they're good for notifications - don't think it's difficult or unexpected for a user to provide either.

For spam prevention, on both vB and XF, this has so far been the best add-on we've used:
https://xenforo.com/community/resou...-spaminator-stop-spam-bot-registrations.7410/

A few human spammers still occasionally get through, but none of the automated stuff as far as we can see.

 

[MagicalAzareal]

One alternative to registrations without emails might be to get users to use some sort of disposable email service, there are plenty if you do a quick search in a search engine. There are also a few email services which don't require you to give any personal info.

 

[mysiteguy]

The problem with disabling email verification is if you sent any sort of announcement or newsletter, depending on the country you may run afoul of laws requiring double opt-in.

 

[doubt]

In case of a lost password it's easy to get it with a user name and confirmed email address.
How to get it without that confirmed email address?
"Contact us" ? How would the admin know that not someone else is trying to access the user's account?
Difficult.

 

[Sysnative]

The problem with disabling email verification is if you sent any sort of announcement or newsletter, depending on the country you may run afoul of laws requiring double opt-in.

That's fair for marketing material. I don't believe it's needed for non-marketing material under GDPR, but would be down to individual forum owners to confirm they're complying with any opt-in requirements.

In case of a lost password it's easy to get it with a user name and confirmed email address.
How to get it without that confirmed email address?
"Contact us" ? How would the admin know that not someone else is trying to access the user's account?
Difficult.

It's never really been an issue for us, and we have 35k+ members. Any regular almost certainly has the correct email input, and anyone else - most likely they can provide us with the email that was registered, and worst case scenario they're just forum accounts... if they've never posted before they can create a new account.

Some niches may suffer from this more, depending on the type of members and activity on the site you get. If you prefer to have email verification, stick with it. Our site doesn't use it though, and it's been working out well for 3-4 years without any issues.

 

[haqzore]

One alternative to registrations without emails might be to get users to use some sort of disposable email service, there are plenty if you do a quick search in a search engine. There are also a few email services which don't require you to give any personal info.

Then why request emails at all?

The problem with disabling email verification is if you sent any sort of announcement or newsletter, depending on the country you may run afoul of laws requiring double opt-in.

Agree, as I mentioned earlier in the thread.

This whole thread is little more than random sporadic thoughts without knowing what the communities end goal is.

In case of a lost password it's easy to get it with a user name and confirmed email address.
How to get it without that confirmed email address?
"Contact us" ? How would the admin know that not someone else is trying to access the user's account?
Difficult.

This is a consideration for sure. Sometimes we forget about things like this.

 

[LeadCrow]

Then why request emails at all?

It's an oldschool method for account recovery. It did the job back when everyone was pseudonymous and didnt have cellphones. Nowadays certain sites like Facebook even allow account recovery using trusted contacts (accounts whose users you personally trust and can ask to verify your identity in case you lose control of yours). Forums remained stuck in early 2000's paradigms in so many ways even small changes are hailed as revolutionary nowadays...

 

[haqzore]

It's an oldschool method for account recovery. It did the job back when everyone was pseudonymous and didnt have cellphones. Nowadays certain sites like Facebook even allow account recovery using trusted contacts (accounts whose users you personally trust and can ask to verify your identity in case you lose control of yours). Forums remained stuck in early 2000's paradigms in so many ways even small changes are hailed as revolutionary nowadays...

Yes, but my reply was to the "disposable" email part. Disposable accounts typically "live" for ~10 minutes before disappearing. So if you're going to allow those, there's no reason to request emails at all.