Google should fix their broken account creation process
Frequently I get emails from Google in my gmail account congratulating me for creating a brand new Gmail account. The problem is that I never created those accounts. The email also says “Please keep this email for your records, as it contains an important verification code that you may need should you ever encounter problems or forget your password.” There is a link to follow if the receiver of the email didn’t create the gmail account and that says:
If a new user lists a secondary email address when creating a Gmail address, we automatically send a confirmation message to that address. Unfortunately, users often misspell their secondary addresses, so the confirmation message is sent to the misspelled address instead of the user’s intended address. This confirmation message is not an indication that your address has been compromised in any way. If you receive a confirmation message from Google regarding a new Gmail address that you did not create, you can safely disregard the message.
Anyone can sign-up for a gmail account. Giving a secondary email address is optional but is recommended for security purposes. If a secondary email address is provided, Google should use it to activate the account, not send a congratulatory message to it. After this is implemented, if the user inadvertently provides a wrong secondary email address (typo), he won’t get the expected email from Google asking him to activate the account; he will realize his mistake, try again and give the correct email address. Currently, if the user doesn’t update his incorrect secondary email address and also forgets his password, he cannot reset it. The holder of the ‘wrong’ email address will get an email if the user tries to reset his password.
I don’t understand why Google doesn’t follow the common practice of verifying the ownership of the email address.
This is a follow-up to my post. Purely out of scientific curiosity (and with no evil intentions) and to verify that the google account creation procedure is flawed, I typed the username that was used in the account creation and clicked on “forgot password”. The system asked me to either answer a secret question or click on “Forgot”. I clicked on “forgot” and got an email (addressed to the secondary email address specified) that said “To initiate the process for resetting the password for your gmail Google Account, visit the link below”. I visited that link, chose a new password, and reset the password. I have no intention of logging into that account.
Also, the cynic in me tells me that I wouldn’t consider all these to be cases where the user misspelled secondary email address. I am sure that in many cases the misspelling of secondary email addresses is just a prank: there is no cost involved for the prankster. Google should have the evidence to support this. In any case, if the person who gave one of my email addresses as the secondary email address, did so by mistake, my apologies for shutting them out of their account. If you are reading this and
I have a simple idea for no-spam gmail account creation.
In my post and previous comment, I had described why I think the gmail account creation procedure is flawed and how it can be fixed. While my suggestion, if implemented, is an improvement over the current mechanism, there is still the problem where google sends email to whatever address is specified in the account creation form — causing spam if the address is deliberately or accidentally misspelled.
I have a simple idea to avoid this spam. If the user provides a secondary email address along with other information required for account creation, and if the login name is available, the form displays a verification code. The user can activate the gmail account by sending an email from the secondary email address — proving ownership of the address — with the verification code. If the 2 email addresses don’t match, account is not created. Note that though it is easy to spoof the “From” address, the spoofster — I made up the word just now! — won’t know the secondary email address nor the verification code. Ofcourse, Google will get lot of spam activation emails but it should be able to filter them out.
This obviously applies not just to gmail accounts but any other account.
Comments?