Upon new user creating account, email is not verified!

Luis

abiy877 Hi! We deliberately chose not to require email verification to allow individuals who prefer not to share their email addresses to still use our service. Thus far we have received 1 report of an account being set up using someone else's email. We are closely monitoring this.

Vlad

abiy877 As Luis said we do this for privacy reasons as Kagi does not really need an email address to operate. Would adding a checkbox to verify your email during signup be a good solution?

abiy877

Vlad

Hello! Thanks for replying. It's not clear how I sign up without an email address. It is required "We require an email address to be able to verify the account really belongs to you in the following cases..." as per this url on the sign up page:

https://help.kagi.com/kagi/faq/faq.html#why-does-kagi-search-require-an-email-address

I would post a screenshot but your system does not allow me to upload one.

Vlad

abiy877 We need something that looks like an email address but it does not need to be a real email address. This allows that both people who want to use their real email address can use Kagi, and also people who do not want to share their real email address (for privacy reasons) to use Kagi. We do this to emphasize that Kagi does not want or need any personal information from the user.

abiy877

My point is that IF you create a user account with email address as the identifier you MUST send an email to that address which the owner will confirm to verify that it is actually his/her/their address. Otherwise a person can make an account by giving any email address - one belonging to someone else or one that does not even exist.

abiy877

Hi Vlad:

According to Kagi documents, that is not correct: https://help.kagi.com/kagi/faq/faq.html#why-does-kagi-search-require-an-email-address

It suggests a person could use "an anonymous email provider such as SimpleLogin" but that service provides a functional email address with a relay to a your real email address. So, Kagi instructions do not indicate that someone can sign up with a made-up email address (ficticious@domain.tld for example) which is what you seem to be saying: "something that looks like an email address."

If Kagi really does not require an email address, the sign up page should ask for the customer to create an account using USERNAME and password. Upon your system confirming the chosen username is not already registered in your system, you could then dump someone into their account page where they could OPTIONALLY enter an email address and name or whatever you might optionally ask for. Then at that point, if the user chooses to enter an email address, you do a proper verification routine before linking that email address to the user's USERNAME.

I think having a way for Kagi to contact me to let me know if a payment failed or about other account or service issues is a good idea. Also email is good for doing password resets. I don't think you should encourage people to sign up with a made-up email address or to use someone else's email address.

I'm just tring to be helpful here before you guys get too big to change things and have to deal with support tickets for email address issues. I do appreciate your privacy-focuses efforts in general!

Vlad

abiy877

The FAQ entry just above the one you referenced states this

"You can create a Kagi account with any email address including a fake one (we do not care or verify it, it is just an id for logging in)"

https://help.kagi.com/kagi/faq/faq.html#why-trust

If Kagi really does not require an email address, the sign up page should ask for the customer to create an account using USERNAME and password.

Kagi really does not require it. However it is a convenience for many to have this link (for example to restore one's password) so by user ID accepting an email address we will attempt contact when needed and achieve both purposes.

you could then dump someone into their account page where they could OPTIONALLY enter an email address and name or whatever you might optionally ask for.

Instead, what about a checkbox below the email address entry saying send a verification link to my email address?

One thing to understand is that Kagi users come from very different backgrounds and have very different requirements.

Check some of these threads to understand the kind of requirements:
https://kagifeedback.org/d/3813-enable-anonymous-registration-no-email
https://kagifeedback.org/d/493-enable-anonymous-payments-ala-bitcoinmonero/

Our current system is a result of best effort to cater to as widr group of Kagi users with an UX that is still simple and familiar.

abiy877

Hello Vlad! Thanks for the links, I see it is something you have been working on and is a work-in-progress. I think I agree with @TyroneHelmsman in the first thread you referenced. That, in essence, was my idea of signing up with username (could be a system-generated one or not) then next page you have the option to add email address with an explanation of the benefits. Also someone could come back at any time and add an email address to their account (defined by the username).

Having a check box to optionally verify the email is not entirely useless as it confirms that the Kagi system can send email to the user's system, but that was not the reason I wanted verification. I wanted it mostly due to other people using my email (unintentionally I assume, it happens from time to time).

Somehow it just seems 'wrong' to me to encourage use of a made up email address.

I'll leave it there then. Thanks for the pleasant discussion and I wish you the best going forward with Kagi. You will probably be getting some money from me soon (not via crypto)!

frin

I think the solution would be to send an email to the provided email address, which contains a link where you can "destroy" the account or free it up, in case someone uses your email address. This email link should only be valid for like 2 weeks, in case a user actually changes the email address, which gets freed up (for example, loss of domain name).

This way you don't have to verify if it is a valid address, but the owner still has a chance to be notified and fix it.

Also provide a warning that if you use an email address that is either invalid or not yours, it is at your own risk.

navigate5

I know someone who mistyped their email and is having the same problem. Adding a checkmark to verify (or ideally send a verification email by default unless they click the checkmark to not verify email). They're also having separate UI issues in even seeing what email they put in (still not related to this idea though)