It’s a good lesson but let’s not forget that completing the signup is not the goal in itself. If you look at post-signup user activity you will find many users stick around for a few minutes and then leave, never to return again.
If someone can’t be bothered to click a verification email, then removing that step is not going to magically turn them into an active user. More likely they will be one of the many people who leave after a few minutes.
I do a signup/onboarding optimization for startups, and here’s what I found from a recent project:
1) The verification email was NOT a significant bottleneck to signups. That is, most people clicked the link.
2) Removing the verification step did NOT have a meaningful impact on conversion rates.
If you don’t have a problem with user quality then sure, avoid the verification step. But if you have a good reason for the verification step then don’t sweat the drop-off rates.
And more importantly: Treat signups as a leading indicator of success, not the ultimate goal.
Edit: On second reading I see the author is talking about a verification step that requires an admin approval, which could take hours. Yeah, don’t do that.
Also removing that step means that I get 'spam' that contains scary amounts of PID in it.
I'm looking at you, Mint, who sent me someone else's financial data for months and months, and did not have an unsubscribe button (outside of user account preferences).
If a gamer uses my email address to sign up for a service, I'm gonna log into their account and change settings. Or once, in a mood, just delete their account (many services use email address as an identifier, so you can't use that service if someone used your preferred email address). I figure it's like someone accidentally giving out your number in a bar to get away from a creep. You just happened to lose the random digit lottery.
I'm never going to log into someone's financial system to do that. You're crossed a line from petty vigilantism (under duress) into "this is starting to resemble a felony" territory. It took ages to ask the right question of Mint support to get them to do something about it. And really, fuck anyone who puts people in this position in the first place.
If you are sending communications to a user repeatedly, you believe you have a relationship with them whether they want it or not. If you are collecting sensitive data on them, and then telegraphing it in those communications, then verify their goddamn contact information first.
Or, stop trying to have those conversations over unauthenticated channels.
[edit to add: and then there was the lonely guy who signed up for eight+ dating sites while I was in a rough patch with my partner and I had to scramble to unsubscribe lest she think I was planning my escape. Seriously dude, not cool]
The irony is that I finally pushed the issue because I wanted to use Mint.
But as I was trying to express what a bad idea it was and why they needed to do more than just fix my particular issue, I realized that I shouldn't have to explain this at all. And once I started questioning if maybe I was the greater fool for thinking that they would magically sort it out once I was a customer, I just got them to stop sending me someone else's budget information and never talked to them again.
But the internet is full up of stuff like this. That's just the one that was the most memorable.
I feel you. I have {commonFirstName}.{commonLastName}@gmail.com and I get so much email intended for other people. Services that don’t verify email and require you to login to unsubscribe are the _worst_
Slight tangent: A lot of people might not know that periods in the first half of a gmail address actually get ignored when relaying. They're only there visually. Some services don't check for this and you can register multiple accounts with u.ser@gmail.com, us.er@gmail.com, use.r@gmail.com which all get forwarded to user@gmail.com.
Just flag them as spam. This hurts the service's deliverability. Enough flags and they'll get blacklisted. Services should always at least verify that you can receive the email (by sending a confirmation link) before they start sending you information or even creating a valid account.
My wife has [uncommonFirstName]@gmail.com as her e-mail address. Her uncommon first name is still sufficiently common that she gets a lot of other people's e-mails.
This has happened to me a number of times. I'm currently subscribed to an elementary school parent system for someone else's kid. So I get emails every so often about the child being tardy or absent. There's no way for me to stop these emails or communicate with the school or the parent. I gave up and just archive the emails as they come. They'll graduate eventually right?
Same deal with dating websites and job search sites, I had a guy use my email to sign up for what must have been a job aggregator. I found out about 15 different websites had "10 new opportunities waiting" for me.
It boggles me that there is no double opt-in for something like your children's school attendence.
Ah, PayPal managed to let someone set my email address as their primary email address without any verification.
Unfortunately, I wasn't able to recover and delete their account because I didn't have any of their other sign-up information. You make a good point about this action resembling a felony.
The client or the business? Often this sort of thing is spoken over the phone and keyed in by a distracted staff member. Maybe the customer doesn't even know they're meant to be getting emails.
Like the credit card statements I am getting from an Indian bank with no contact apart from an international phone call to India which I will not be making. And I can tell you the default encryption passwords they use on their PDF attachments is not particularly secure.
Following on to this and hopefully making it more explicit: your goal should typically be to accelerate users towards their "magic moment" (the moment when the value of your software clicks, they get it, and they suddenly can't imagine living without it), as quickly as reasonably possible. A couple of companies that did a great job at this:
- Slack used to (they still might I just haven't created a new workspace in a while) have Slackbot message you to setup your profile so that you're literally using the software as part of onboarding.
- Aircall has you get a phone number and place a call directly from your browser, then use your phone to call that number back and have it ring in your browser.
Focus on the the path to that magic moment first, ensuring that users who do sign up have an incredible onboarding experience and understand the value.
Otherwise, you're just pouring water into a leaky funnel, and you might end up even worse off. You'll spend the same amount of time and money on support for your leads, but few of them will ever convert to dollars.
Absolutely. I've always been impressed with software that lets me get the magic moment first. E.g., online visual design programs that just let me try the tool in a sandbox. Or the way Github lets you examine and download software without ever signing in. I'm much more likely to give somebody something valuable (e.g., my contact details) if they've given me something valuable first.
You definitely need to think carefully about friction for repeat users on this kind of thing, though... definitely Slack is a peculiar case because of their mind-numbing user model that leads you to having multiple accounts. but I do consulting and as a result frequently get added to other companies Slack workspaces. The deluge of "helpful" messages from Slackbot sent repeatedly in each workspace is absolutely maddening and is one of the big reasons behind my hating Slack.
You also see a similar thing with mobile apps that have a forced tutorial/onboarding intro.
Just keep in mind that every thing that you force users to do as part of onboarding is going to be annoying, and especially for users which onboard multiple times for whatever reason. Even just mobile apps repeating their first-use tutorial when you get a new phone is enough to drive a man to drink.
Yes, this is a good point. Getting the user to their magic moment is not the only thing that matters for all customer engagement, it’s just the primary focus for new customer acquisition.
This reminds me of the phrase “don’t sell past the close.” Once you have the user, focus on keeping them not selling them further. Many services have a way of saying “I’ve used this before” to skip the tutorial, for example.
Regarding the problem of repetitive Slack onboarding messages, I recently created an email filter rule that I think should solve it for me. In Gmail filter syntax:
Matches: from:(notification@slack.com) "you have a new direct message" "from your conversation with Slackbot"
Do this: Skip Inbox
This rule might be harmful if Slack ever sends both Slackbot DMs and real-user DMs in the same email, but my guess based on emails I’ve received in the past is that Slack doesn’t do that. Before activating this rule, you can search your own email history to see if any useful emails you received in the past would have been hidden by this rule.
As someone who receives new subscriptions daily from people around the world mistyping their email address (or intentionally entering an address they don’t own), I ask that you please DON’T remove the step of verifying people’s email address!
Yes! Every time you signup with an email you should have to verify. There's someone who consistently uses my email to sign up for all sorts of things (nearly every piece of mail has his name attached to it). It's actually quiet sad, he seems to be going through hard times right now, and started signing up for what are obviously get rich quick scams.
When I used gmail I used to have this problem regularly. I just marked every single email I didn't intend to receive as spam which hopefully lowered their rank.
> If you don’t have a problem with user quality then sure, avoid the verification step. But if you have a good reason for the verification step then don’t sweat the drop-off rates.
If you have any contact method for the user (email, SMS, phone) you should be doing some level of verification on it. Users are clumsy, some of them don't know or mistype their own email addresses, phone numbers, etc. Verification ensures you're talking to the person you expect to be talking to.
> It’s a good lesson but let’s not forget that completing the signup is not the goal in itself. If you look at post-signup user activity you will find many users stick around for a few minutes and then leave, never to return again.
I may be the only one with the following experience so please bear with me.
I use lastpass to generate passwords and save my credentials to use on websites/apps. While for many sites I will never use the site again, in some cases after some time I find myself back on a site I had registered on before.
It may be because the site has added new features or it could be because my condition has changed. (I would like to say I came back because of the work that the website owners did in marketing/new features etc).
I am not involved in this sort of thing from day to day but I think that one should also track "𝒔𝒉𝒆 𝒅𝒊𝒔𝒂𝒑𝒑𝒆𝒂𝒓𝒆𝒅 𝒇𝒐𝒓 𝒂 𝒚𝒆𝒂𝒓 𝒂𝒏𝒅 𝒂 𝒉𝒂𝒍𝒇 𝒂𝒏𝒅 𝒉𝒂𝒔 𝒋𝒖𝒔𝒕 𝒏𝒐𝒘 𝒍𝒐𝒈𝒈𝒆𝒅 𝒃𝒂𝒄𝒌 𝒊𝒏"
That happens a lot. You just get counted as a new ACTIVE user, which for the reasons described in my first comment may be a better success indicator than signups.
Actually that’s why I run “thaw campaigns” to reactivate past (now inactive) users. Something as simple as a reintroduction email to users who’ve been inactive for 6+ months, calling out new features and benefits and success stories. It brings back a lot of people like you, whose situations changed and might now have a use for the product.
I use LastPass as well, but they have crippled their free-tier product. you used to be able to view/generate passwords in their chrome extension, now you have to go to the website to view a password. Worse yet, the website is unusable on mobile. I would not recommend it to anyone now.
On the subject of email verification; Why not split the difference. Verify but give a 24 or 48 hours grace?
I noticed you said "meaningful" impact and not "no impact". If your optimizing this seems like the best of both worlds in the slight increase of conversion and the security of verified email?
> let’s not forget that completing the signup is not the goal in itself
Good point....unless you're someone who's been incentivized by a higher up to optimize for this metric because that person or someone above them (maybe a VC) forgot this!
About a year ago, I started in on trying to establish myself as a Trial-to-Paid expert, since it was a thing I had a fair amount of experience with, wasn't especially well understood or appreciated, and had _significant_ benefits.
Professional and personal life obstructed this, and I've since moved on, but I'm glad to see _someone_ preaching that signup optimization isn't the holy grail.
The best and most simple onboarding process I've ever experienced was with expensify. I don't know if it's still like this, but you just enter your email address and you're in... your account is running and you're logged in. Everything else can be figured out later.
Bots? Idle new accounts are probably deleted after a number of days. Password? A reset/creation link can be sent to your email the next time you try to login. Payment? That's only important if you're going to use the software -- it can be handled when appropriate.
Unless your service has some major expense or limited resource associated with account setup (ex. assigning the user a new phone number), I would love to see more signups like this. The lack of friction made me feel so happy as a customer and I instantly had a positive impression of the service because it already felt like it was adding value by making my life easier. I wouldn't be surprised if this also has a positive impact on their conversion rate.
That's fine as long as you send a welcome email immediately that says "If you didn't create this account, use this link and you'll never get another email at this address".
I've seen services forget that, and then it's possible to sign up with someone else's email address, use the account, and have someone else get spammed or harassed. That needs to be part of your threat model. "What if a bot signs up" is about protecting your service and people using it. "What happens if someone signs up with someone else's information" is about protecting other people, who may have nothing to do with the service.
I don't know who gives that advice, but it seems poorly thought out. Email providers already tell people sending email when an address is real or not. You clicking the link would tell them you read your email.
I'm also not sure what you're afraid of. If your account has been in existence for long enough, you already get a lot of spam. It just gets blocked or filtered. The vast majority of your emails that actually get to your inbox are from people trying to do the right thing, not people trying to screw you over.
> Email providers already tell people sending email when an address is real or not. You clicking the link would tell them you read your email.
My bad for lack of clarity.
I meant whether the address has a person reading it, making it a more valuable target, perhaps added to a commercially sold database.
I don't know if or how much this happens. But it's obviously an available signal.
> If your account has been in existence for long enough, you already get a lot of spam.
True! I got 6000 spam a day at one point. Thankfully it went down to 1000 a day and has slowed since.
> It just gets blocked or filtered.
Unfortunately not so well. The vast majority is filtered, but that still leaves too much getting through (I got about 80 in the last 45 hours), and in conjunction with such a high level of false positives that good things go to the spam bucket, a problem both as a recipient and a sender.
Gmail is not immune either; I often find critical false positives in my Gmail spam folder.
Spam is not a solved problem, and the solutions are causing other problems.
I don't have solutions, but I don't agree that it's "just" blocked or filtered. If only email was that reliable!
Email deliverability was part of my job for around 8 years. Providers will absolutely send you a bounce message (via the return path email) if an inbox does not exist. Or even if it is full.
The messaging is not standard so you have to do all sorts of special case parsing because each provider can give a different message. And ignoring these messages will hurt your ability to deliver email.
So if your plan is to hide your address from people, again, I don't see the point.
I believe there's value to marketers to know "this email address somewhat reliably hits a human's eyeballs" as evidenced by a click-to-unsubscribe or click-to-refute action as a stronger signal than "well, we didn't get a bounce".
"Email providers already tell people sending email when an address is real or not." suggests a level of reliability of signal that simply doesn't exist. I have an infinite number of email addresses that you could send to, which would not give you a bounce, and none of which will reliably land in front of a human's eyeballs.
Far too many websites don't do this. A lot of people seem to think that my Gmail address is their's, so I end up signed up for a lot of email lists.
I'm sure Apple is good about this now, but many years ago someone had used my Gmail address for their Apple ID. I wanted to switch my Apple account to use my Gmail, but couldn't because someone else's account used it. Support told me they couldn't do anything about it. I don't know why it didn't occur to me to do this first, but I just reset their password, changed the email address to something else, and reclaimed my email.
> I just reset their password, changed the email address to something else, and reclaimed my email.
I understand it’s the other user’s fault for using your email address in the first place, but I wonder if you could have contacted them to warn them about the change (since they would lose access to their Apple account instantly, with no recovery option). I’m not blaming you. I’m just wondering how it would be done, if needed.
I assume that user, when signing up with your email, either a) made a mistake b) was being unhelpful c) or didn’t understand he whole email/ID concept.
I've been on the receiving end of a similar thing (but with a gaming website), and there's a flaw with your logic: How would you contact them? The email address they used is yours, it's not like you can just send them an email, you don't have their address.
For eight years, I've been trying to get my email address out of Xfinity's databases. The customer support team literally can't find my email address in their system and I still get emails. They passed my case on to engineering and they can't find it either. Not only have I never been an Xfinity customer, I've never even lived in an area where I could have be an Xfinity customer. Thankfully, the emails are few and far between now.
From what you said it appears every single one of their emails is a violation.
I don't know how much time it will take you to actually pursue that or whether it will be worth the time, but I'm sure lots of people will be very happy if you make Comcast lose a bunch of money.
Yes, I do have a filter for them. But it's still annoying since it's just shifting the problem -- now I have a growing list of filters to maintain. But I appreciate the suggestion.
I fully agree. A while ago, I registered a domain name consisting of adjacent keyboard letters and set up a catch all email address (huge mistake). Next, I got roughly 1000 mails per week, of which fifty were promotional offers sent to "my" Verizon accounts. Of course it is impossible to reach any human being at Verizon to get this fixed.
That's not what I was suggesting at all. If your service actually sends people emails (other than, say, password resets), then you still need them to follow a "verify your email" link before sending them mails other than the single "welcome" message containing that link. I'm just saying that you don't need to wait for email verification before letting people make and use an account, as long as you don't send them any more emails beyond the welcome message.
Many services don't send regular emails, and only ask for an email so that 1) everyone has a unique identifier without having to make up a unique username, and 2) they can do password resets. For such services, the procedure above makes sense to reduce friction.
I still wouldn't want someone else to be able to register for some service using my email. What happens if I want to use the same service in the future?
That happens to me all the time as I have a very generic email address (one of the first users of Gmail). Someone seems to have registered to Facebook with my email and now I can't disassociate it. People searching me by my email address on Facebook end up with that random guy.
Works great for those who are used to it, but I know lots of people get confused.
They don't think "Reset password" applies to them. Why should they reset their password when they next login if they never made one in the first place etc...
I had a similarly fantastic experience with Mullvad. I just clicked the big "Generate Account" button, and that was that. No email, no password, no sign up page whatsoever.
Know your target audience too. I'm not sure if I'm it, but reCAPTCHA gives me enough friction that I often abandon pages with it. Simply using Firefox's antifingerprinting feature plus some ad/tracker blocking is enough for it to be miserable every time.
Nobody here is talking about the elephant in the room where reCAPTCHA (and hCAPTCHA has the same problem) is concerned:
The other day when Google was having issues (the same day that a bunch of Android apps were crashing due to a bad map data push), I was unable to log into my bank, unable to pay my electric bill, and a half dozen other things I needed to do that day.
Because Google's servers were down, core service providers were unable to do anything either because they block access to their site without recaptcha approving the entry.
To me, as a technologist, as a builder of software, this is absolutely and entirely unacceptable. Captcha needs to be something you can self host.
I don't understand this habit of handing Google a knife and then telling them where to stab you.
I'm going to guess people aren't typically talking about it for a few reasons:
- We started out with self generated and self hosted captcha. It was too easy to beat. Complexity of the image generation turned up until eventually it was easier to just outsource it to someone else. Going to throw out a guess here that reCAPTCHA is far from simple, and likely exceeds what most teams would want to run internally.
- Google has an uptime that's significantly higher than most companies. I'm not defending any of Google's habits or business practices, but I personally wouldn't bet that most companies can run software more reliably than Google.
- As someone else mentioned, fail open is an option in situations like these (depending on the threats you're trying to protect against). For something with a high probability of failure, this could make sense, but I would have a hard time imagining a team allocating time to deal with the case "when Google is down" unless it's truly life or death software (think: surgical robots, autopilots, etc)
Why was self-generated and self-hosted captcha easy to beat?
I found that generating math questions in a captcha style (curved / with other noise drawing over) and requiring that questions to be answered in a box is unbeatable. The bad actor would require very good OCR and after that also good math parser to answer. Easy for human, very hard for automation. And the script was like 50 lines long that did that.
"easy for human" is very subjective. Users very regularly have a hard time with all forms of image captcha for a whole bunch of different reasons: visual acuity, color deficiency, learning disability, unclear instructions, visually similar characters, etc. If you allow users to refresh the image until they see an easy one they might be able to overcome it themselves but some percentage of those users will get frustrated and leave. Not to mention allowing regeneration of images also makes it easier for bots to cycle until they find one they're confident in. Surely if there were a dead simple for humans, difficult to beat for bots, 50 line script option for CAPTCHA generation that could be self hosted it would be in wide use.
reCAPTCHA changed to its current model to try to significantly reduce friction in the "hopefully normal" case (down to just a check box if all goes well) because every ounce of friction you add to critical inflection points in your product translates to meaningful lost opportunity.
Even if this wasn't a problem, and it were trivial to create something that's easy for humans and hard for computers, it's just not worth most companies' time. Would they rather spend a few days properly implementing and testing a captcha solution, then whatever unknown time on future bug fixes and support, or setup reCAPTCHA in 30 minutes and move on to things that produce value for their customers?
I see that as an absolute win. If you're having problems understanding simple math questions then I won't want you as my user in the first place. Morons out.
As for visual impaired ones, I agree this one is harder to crack. Usually you do it by audio, which in itself is more then 50 lines of code, but here is my personal approach. Absolutely none is stopping you to have, for visual impaired ones, a separate step like the one described in OP, where you have mail activated. You see visual impaired users have infinitely more patience then normal "visual" ones. They are used for web to not be friendly, so they won't mind going through extra hoops if they want your service. So a checkbox saying "I am visual impaired and I want registration by e-mail" or something equivalent and you're good to go.
Only if the probability of failure makes the extra effort worth it. Since this is a pretty rare event, a sensible person could well wait until they see actual impact before putting in the work. Hypothetical problems always vastly outnumber actually experienced ones.
It's surprising to me that on-prem reCAPTCHA isn't a service that seems to exist (based on a quick search).
Even if it's not Google's reCAPTCHA - is it so hard to make something like this that only Google can provide it? Surely the big players would want this component under their control exactly for reasons like "we don't want to have an outage due to a provider outage". Or at least, fail over to a less-preferred backup. Like if Cloudflare had such a service.
Cloudflare looked at the options (including building their own) and moved to hcaptcha (but mostly because Google wanted to charge them money), so it must be hard at that kind of scale, since bot writers are monetarily incentivized to defeat the captcha.
Spread the word. The more we are saying this, the more developers will think "We have a problem, but reCAPTCHA is not a solution for this problem. reCAPTCHA spies on our users and makes them waste their time, while our first goal is to respect them. I support people who run away from tracking and reCAPTCHA makes their lives miserable. We can't use this. And by the way, I myself hate checking road signs and shop fronts, I'm definitively not inflicting this curse to even a very small fraction of my users".
My bank once required me to fill a reCAPTCHA to change my password. Yes, Google's tracking on my bank's website. I asked my financial adviser to reset my password for me to increase the cost of using reCAPTCHA for my bank. I told them it didn't work because of reCAPTCHA not working on my computer, which is actually true because I block it.
>> reCAPTCHA spies on our users and makes them waste their time, while our first goal is to respect them
Some are using reCAPTCHA to detect bots, but I see many sites that appear to be using it specifically to slow down users. Users are to be respected but customers are to be mined for their money. Sometimes that means making things more difficult than is strictly necessary. If an onerous reCAPTCHA is required to delete an account or qualify for a price discount, so be it.
There is a reason it is so much more difficult find one's way out of a casino than it is to walk in.
You could embed a very-lightweight crypto-miner script into the page, with explicit UI acknowledgement (i.e. it starts when the user presses the "Verify" button, it displays that it's working and how hard it's working; and it runs until it produces exactly one target hash, at which point it clearly stops), and targeting an artificially-tuned difficulty such that a regular PC should be capable of completing in a minute or two (rather than trying to actually mine for any real blockchain network, which would require absurdly-high hash power.)
This is basically how "e-stamp" system proposals were supposed to work for email; but they never took off because email is an ossified system. The web is not ossified; individual websites are free to implement something like this.
If you're worried about spammers just throwing a GPU farm at the problem: the overlap between spammers and people who own crypto-mining operations is small; and the people who own crypto-mining operations have much-more-profitable things to point them at. So this should mostly stymie spammers—individuals will be okay with sitting around on the page for a couple minutes to complete the action, but it'll throttle spammers' actions way down, to the point where it's mostly not worth it to attack that site any more, vs. some other site (i.e. it'll have the same relative-deterrent effect that putting a club on your car does.)
You could even frontload the work, turning it from a proof-of-work system into a proof-of-stake system. Have the user "buy in" with a large hash workload during user registration; and then trust them from then on. (This is the better approach for a mobile app: direct them to register on the app's website on a PC, and then you can trust that user on the much-lower-powered mobile device, despite that device never generating a token.)
-----
An effectively strictly-equivalent approach is to just charge the user a dollar to complete certain actions.
One famous example of this is the SomethingAwful forums, where registrations cost $10. You can register as many times as you like—i.e. if your account gets banned, there's nothing stopping you from just coming right back again—but you'll need to pay another $10. Seems to work fine, in terms of making it too costly to keep doing anything the site bans people for.
I like the cleverness and simplicity of the bitcoin mining approach, but the tradeoff between "takes too long, damaging our signup flow" (where anything more than 5 seconds is likely to have a material impact) and "doesn't take long enough, making it too cheap for bots to proceed" may be quite tricky.
Charging a buck is extremely simple, and fair. The SA example tickles me.
I wonder if the folks who dislike reCAPTCHA would be willing to choose to pay $1 if given the option between the two.
My assumption is already that reCAPTCHA is not a solution. Your question would, then, be "Is there a solution".
You may not agree and I respect this, but this is actually my point (and I don't have an answer to this question - I wish I had, though, and you have a point!).
I wish that people stop thinking soon that reCAPTCHA is a solution at all.
Then, it will open people to start thinking hard on this problem and hopefully find good solutions that fits their exact situation. There may not be one size fits all, but many good solution for each situation. We would not know without thinking.
I wonder if you could ask the user to trace a shape/pattern with their mouse? Or you draw a few animating dots with a canvas, and ask them to click the blue ones?
Fundamentally, though, you likely either piss people off by challenging their humanity, or violate their privacy by silently tracking their behavior, or break accessibility by evaluating the way they interact with your site against "normal" (bad for folks with screen readers, lynx, etc I'd assume).
There won't be a solution for long. Ai is making great progress on this part of the Turing test. You can only solve this (for how long?) by making the test harder for real humans and that adds friction.
If you want to solve this legal is your best bet. Make the things bots are doing illegal, and then track down the owners. It is hard but the criminal system is the only thing we have.
Since solutions for recaptchas can be purchased, I'm starting to wish I could just pay the market rate (< $0.01 each) instead of having to solve the damned things.
Then you may not have the problem deeply enough to need the solution. It depends on a lot on the context B2B vs B2C, but I've experienced that the B2B customers who won't sign up without an absolutely free trial are much much less likely to convert anyways, to the point where it's not necessarily worth the effort for sales + support.
Yeah I think there’s a general lack of understanding that leads inexperienced product people to believe that friction is always bad.
Good friction (verifying emails, asking a question in the signup form, collecting a CC upfront) can result in more paying customers as you’re optimizing your experience towards people who are actually interested in buying your service.
Rather than trying to cast a wide net and wasting resources on poor leads who want zero friction.
I don’t understand. The only reason it would be beneficial to ask for the credit card now instead of later is if you’re hoping the customer simply forgets to cancel. It signals to me as a customer that you’re not confident that your free trial will convince me to pay.
Suffice it to say, this has been heavily tested by thousands of businesses, and there's hard data behind many of those that land on requiring a card on file up front that has nothing to do with hoping people forget to cancel. It's about activation rates. If your service requires the user do some initial setup work to get value from it, like integrate your whatever into their website, they're MUCH more likely to follow through on that work after having given you a credit card to sign up (and perhaps had to discuss with their boss or IT dept or whoever to approve using the company card).
I have yet to use a service with this pattern that requires you to click an "Alright, start charging me $15/mo" button once their free trial expires. That would obviously be the most user-friendly thing to do.
So, without that step, you can't say "has nothing to do with hoping people forget to cancel."
As someone who as implemented similar CC blockers before: people who forget to cancel leave after one month, leave a bad reviews which affect future growth, and make churn numbers bad. I do not want many of those people, and will both send multiple reminders that they will be charged and refund them no questions asked.
But for any business that requires some amount of human support for users, it can be much easier to convert 15 out of 100 signups than out of 1000.
Sometimes it is used as a verification of "uniqueness", since someone could sign up for multiple free trials using different emails. Not a problem for most products, but can be a pain.
We ask for the cc now, but then still get a final confirmation before charging. The idea being that we won't charge you for forgetting, but you are also showing some interest by being willing to put the card in, and when it comes time to decide to pay, it's only a button press away and they don't even have to dig out their cc.
The ease of conversion is definitely a component. And that has a few parts. Maybe you hope that people forget they don’t want it (like you said). There’s also hoping they don’t forget they do want it. People are pretty lazy and forgetful.
There are other components. Credit card entry acts like a captcha, but it’s actually a useful part of the process (unlike clicking street signs).
And the marginal cost of a free trial is low, but it’s not zero. If I can have less free trial customers but end up with similar paying customers, that’s a win.
In B2B, it could be that the person who wants to try out the service is an employee of a company. He/She needs to first test the service before trying to convince their manager (or the company) to subscribe. Such people might not have a corporate credit card to put in, could be company policy that such subscriptions are handled by a different department. They might also not wish to use their personal credit card for corporate services.
For large values of B, in B2B, employees have corporate cards, with discretionary spending, so that's something to consider. A SaaS product with annual purchasing, priced just under the discretionary spending limit (read: an employee can buy this and their boss will just rubber-stamp the request and not even give it a second thought), is far easier a purchase. However, if corporate has to get involved, the effort is approximately the same wether it costs $1,000 or $10,000 because a bunch of people have to get involved, committees formed, and studies done.
This issue came up for me recently when signing up for Audible. You get 1 free audiobook/month but have to verify a credit card before the free trial month. I imagined this was to cut down on users who sign up with throwaway accounts to get free books. What gets me is you can buy $10 prepaid credit cards and sign up repeatedly anyway, spending your $10 elsewhere. Completely opposed to the practise, however, when it enrols you in automatic payments which you have to opt out of before your free trial expires.
Have you tested this? Prepaid cards usually don't support subscriptions, which is a way of avoiding that. (I work with handling online payments, and tried this before, but it failed for my test-case)
I hear you, but do you have another solution to fix spammers invading a system? reCAPTCHA is annoying but I understand what it solves, I do type away.. And it’s true, sometimes I give up too.
What is your thread model? What’s the worst thing a spammer can do if they sign up? For most websites, what spammers can do is very limited so why are you expecting spammers to sign up in the first place?
If you really think a captcha is necessary, limit it. For example, require that a captcha is required for two account registrants with a 24h period from the same ip. Don’t require captchas for logins unless a reasonable limit of attempts has been exceeded (5 wrong passwords within 24h by the same ip for example).
If your site is small, a captcha is often overkill. A hidden input can trick pretty much any automated spam bot (if input empty, real user, otherwise bot). Just make sure you do enough research so accessibility readers also work with that field properly.
If a spammer targets you, you can always active a captcha manually, although by the time you realize it, it might be too late.
Keep in mind that a captcha only adds friction to the spammer (and users). Bypassing reCAPTCHA is possible for any motivated spammer for only a few cents/captcha. There are services that have humans in developing countries solve them for you. Coupled with a headless chromium, you can easily build a reputation so that google will let you through. For testing credit cards, this setup is definitely used and most likely worth it. So a captcha will not always save you from bots.
Also keep in mind that hacker news does not have a captcha and the amount of spammers is minimal.
1. Identify a large number of email newsletter signup pages that don't use captcha and which either send an opt-in confirmation message or a welcome message on signup.
2. Identify a target for some kind of account takeover attack. (Assuming you have other details needed for takeover.)
3. Rent botnet.
4. Perform thousands of signups for the target's email address starting shortly before your attack.
If the account's only security notifications (e.g., password reset, etc.) are in the form of emails, the flood of spam will usually keep the target from seeing them until too late.
These are real attacks, frequently seen in the wild.
They must have not been around when proboards/ezboards/phpbbs were regularly taken over by spammers. It could single-handedly kill communities if the admins couldn't keep up.
It's hard for me to take people seriously who rail against recaptcha yet don't seem to realize why we use it nor pitch a real alternative. Or that spammer protection is overrated because their obscure blog doesn't get much spam.
It's easy to enumerate what sucks about something, but you can't just stop there.
>>> What’s the worst thing a spammer can do if they sign up? <<<
Depends on your size and resources. Imagine you're basically scrappy with a very small and tight budget and still trying to validate your idea, and you're using one of those providers that gives you a free quota (like Google App Engine), you don't want 'spammers' to drain your free allotment of resources. I know someone who has a small niche blog in the health sector whose blog was repeatedly targeted by spammers/bots. He repeatedly saw increases in his bills till he had someone audit his blog and try to block the bots
For a lot of sites, as you mention, it's payments and testing credit cards.
I have found that simply throwing a reCaptcha onto your form forces you to make a bad choice between protecting the user's privacy and creating a mostly-seamless experience: if you don't want most of your users identifying school buses, you need to send all their behavior to Google.
To get around that, I've tried layering a number of different approaches. These include outright throttling/blocking repeated form submissions from the same ip; using a honeypot field; using a third-party email verification/validation service; showing captchas only under certain very restrictive circumstances (heuristics that make a guess/overall traffic patterns); etc. It's more work, and still a bit cat-and-mouse but at least I don't feel like I'm pissing off every potential customer
> What’s the worst thing a spammer can do if they sign up?
I have seen spammers signing up just to send short message via welcome email ("Hi firstname," -> "Hi check this foo.com,") to their targets. The worst thing that can happen from that is that your domain/email servers end up in the blacklists.
If you send a validation email being targeted by spammers already means cost increase, messy databases / analytics and maybe even a ban for having sent to many emails at the same time.
reCAPTCHA can already be configured to be invisible and only display if it suspects the user could be a bot.
For the majority of users, they won't see a captcha challenge and it is a seamless experience with no added friction.
Those who have lots of tracking/privacy protections however will more likely be flagged as a potential bot and usually have tougher challenges as a result.
There are other options. Cloudflare just switched to hCAPTCHA [0], and proof of work [1] can be effective enough. Aside from those, there's always the option of just leaving it open if there's nothing costly a spammer can do. They're unlikely to use the service itself and associated resources.
I don't have much experience with hCAPTCHA, but my biggest complaint with reCAPTCHA aside from the privacy aspect is that it quite literally tells me I'm wrong on a puzzle when I've done it correctly. It forces me to go through sometimes a dozen or more iterations before finally allowing me through.
With ReCaptcha 3, most users won't notice any captcha at all. Reducing friction to zero for the majority of users is a huge advantage vs other solutions.
That's true, although google's own recommendations are to add the scripts on every page
>reCAPTCHA works best when it has the most context about interactions with your site, which comes from seeing both legitimate and abusive behavior. For this reason, we recommend including reCAPTCHA verification on forms or actions as well as in the background of pages for analytics.
A privacy minded programmer/company might restrict the scripts to the minimal set of pages, but I'd imagine most sites would blindly follow that advice and put it on every page because they think more data = better.
I used to run a forum for an indie videogame with a small but passionate userbase. Unfortunately it was completely overrun by spambots to the point that moderators couldn't keep up and they drowned out the real posts. We had to shut it down.
Anything with a chat/comments section will be overrun with spam-bots and be rendered unusable and unwelcoming. The difference between a bot-ridden comments section in a blog and a clean one is huge.
There are lists of companies with workflows like this that get used in spam campaigns. You can put any email address in and now they will get a signup notice and multiple 'hey you didnt complete our workflow!' marketing messages. Easy way to put a lot of useless messages that mostly pass spam checks in any mailbox you desire.
I recently had an incident with Chime Bank like this, where someone enrolled every public email address at my company with them. I sent them an abuse report and they told us to block their domains. Real great solution, guys.
True that! Had a discussion along that line just earlier today about the contact us function on my website. Worst case, I get some more mails in my spam folder. I can live with that, checking it every two weeks or so doesn't hurt.
I don't know about everyone else but a few months ago reCAPTCHA was getting so hard that I was routinely failing it . Now the hardness seems to be scaled down though. (they removed the addition of noise into the picture I believe).
> I'm not sure if I'm it, but reCAPTCHA gives me enough friction that I often abandon pages with it.
Likewise. It's randomly difficult to get through, and if you have third party content blocking it just doesn't show up. I just hit back pretty often just counting the times I knew it was there any was a reason the page wasn't working.
Asking for an email up front is already too much. Let the user use your service, they'll create some "content" or "configuration" in it. Once they do that, they'll want to preserve / persist it, and then you can ask for an email address. They're much more likely to give you a real email address and validate it, because they're already invested.
I'm feeling a bit thick. Regarding the change to the sign-up process...
Originally:
> Users couldn’t get started on their own. They had to first leave their email address and then wait for me to send them an email with a link allowing them to register and start building their Cortado email.
Afterly:
> As soon as users click the submit button, they get an email verification message in their inbox, which they can click on to set a password and get started.
So, what changed? In both cases users have to submit their email address and interact with a(n) (automated?) registration/sign-up email. In the second case there's the added hurdle of a captcha (which sounds worse).
With the first process, they would leave an e-mail and then author would reach out to them maybe a few days later and maybe a few weeks later telling them they could sign up.
With the new process, they go through the signup process immediately.
That, and it basically just works even if you have huge connection jitter, even if you switch networks during a call, etc. Simply put, using it never annoys me. Reliability beats any fancy designer UX every time.
> I sent registration instructions to all of them within 8 hours, but only 6 people clicked the link in that email.
I think they drew the wrong conclusion from their data. I don't think it was the double signup that was the problem, it was the delay between signing up and getting the confirmation email.
I think the real lesson here is that confirmation emails need to be short (addressed in the article) and quick.
I know that if I don't get the confirmation email within about a minute, I give up.
• Let users use the product immediately after registration (if possible). Don't make them wait for the verification email. Can haunt them with pop-ups afterwards to get that verification and double-opt-in.
• Support single sign-on via Google, Facebook, Apple, Twitter, etc.
• When people try to login unsuccessfully (wrong password), send them an email to login via a link. This was a big growth hack for Uber to increase reactivation rates.
+1 for single-sign on (opposed to a gazillion of passwords). Why is manual signup still a thing at all? I'd expect people today to start with single sign-on.
I have a fixed priority order, but sometimes they add a higher priority later.... :-/ I think it's typically just used as an authority to confirm the email address, so one could be registered with multiple providers and should still work?
I think the issue with the initial scenario was that verification emails were kicked off manually and took a long, variable amount of time. Verification wasn't the problem, the delay was imo.
I have a <common-name>@gmail.com account and get to see the shitshow that happens when people signup for services don't validate email. Many people screw up email entry and end up with accounts outside of their control.
What I see, every year:
- $50-200 of gift cards emailed to me from a guy in Australia.
- Various memberships for gyms
- Various loyalty programs.
- An active airline points program, which sent a password request in cleartext a few years ago.
A corollary to this, don't ask users for information that you don't need.
There are a number of popular web services (Spotify was the most recent) that I haven't signed up for because they keep asking for information I don't want to give them or had to think about, such as gender. Every time I'd start the sign-up process, fill in some information, then be confronted with a question where I wasn't sure what the answer was or why I needed to provide the information, and give up. This even delayed me creating an email account by about a year.
>>> don't ask users for information that you don't need. <<<
Agree. This is especially important today where information is being traded without user's knowledge.
Asking for information you don't need automatically makes privacy conscious folks suspicious of your site/service.
It also gives the impression that you (the business/service) haven't 'thought' through your process (maybe you just did a copy and paste from a template somewhere)
Is there any data on whether this information is even accurate when it's filled out? I just fill out these kinds of fields randomly. Every. Single. Time.
I highly recommend reading "Don't Make Me Think, Revisited: A Common Sense Approach to Web Usability". It doesn't take long to read but is packed with wisdom. It covers the points that Ben makes in his blog post.
I don't really see the useful insights that the article tries to provide. Yes, if the user wants to register and you send the confirmation email now instead of 8 hours later it will be better. Yes, having more stepts to sign-up results in lower conversion rates, as each new step is a new chance for the user to drop. Keep in mind that you also have to convert relevant users otherwise you would just end up with a bunch of inactive accounts, which is not good, at least not if your goal is more than collecting emails.
One of the biggest mistakes I constantly see is that they require an email for you to even see the product or what it does. All this leads to is me never seeing your product. I'm sure you spent a lot of time on it, but I get too much spam as it is. I don't need more just to figureout what you're trying to sell me. I mean, that's your job: to sell to me.
It honestly amazes me how often I see this. No screenshots or even a description. Maybe a line or two and the page looks mostly like an email scraper. SELL ME YOUR PRODUCT.
I clicked on Try it free expecting to go from a typical startup Wordpress site to a JavaScript signup form where I’d fill in an email, password etc.
Instead, bam, I’m in the app with an anonymous account and ready to roll. A big button up top lets me add my email and password later if I like what I’m seeing. Really nice work.
I'm surprised that pattern is still being used so much. I implemented it on a site once and regretted it. Went back to email only.
What happens with multiple login choices is people forget what service they used, or end up accidentally creating another account (if it couldn't be auto-linked), or delete their fb/twitter/whatever and then lose access to things they didn't intend. Or get banned and forcibly lose access.
It also means you're relying on more 3rd party dependencies. And having the overheard of managing those, keeping updated with API/policy changes.
It's one of those things that seems simpler at first, but ends up being more complicated on both sides.
And what happens if one of Google's robots shuts down my account one day? Do I lose access to your service too? It's not like there are any humans at Google to manually review any of this stuff because they don't care.
You don't if people are any competent and ask for an email in scope or ask you to enter a password with username later. That way, you have access as long as you have access to your email/password.
It is great because the friction to start using the service is low but you can add additional stuff after you know that you want to use it. Few services do exactly this. They will lock down your account and ask you to add a password after a day.
In Firefox, I have these accounts living in their own containers precisely because I don't want this overlap and I want them isolated from other activity.
The number of support tickets I used to get from people who were "missing data" because they signed up with Facebook, then logged in next time with Google and saw nothing, belays this.
The confusion that federated login has caused within our own product has driven us to remove it. We are going back to email only (we had been considering it for awhile, and then Apple requiring Apple Login along with the other options sealed the deal).
The support surface only increases over time and we found it not to be worth it.
Those have their own problems. I have 4 Google accounts through different organizations, a business and personal Facebook, etc...
These systems usually put log in and sign-up in the same flow so they are really saying:
"Do you remember if you signed up before? Which one of the 7 ways of we're presenting as an array of 4 or so buttons with secondary account selectors did you use?
If you pick the wrong one now you're going to get another account and have multiple discounts, reputation, credit, etc to manage.
Good luck!"
If you're lucky enough to still have the welcome email it'll sometimes narrow it, but not really. If I clicked on Facebook, selected my business account, then I'd get email in a Google account, which is exactly what I'd get if I had selected Google and the business account directly.
However, that's a different service and a different token which is usually enough to mess things up and create a different account.
What's worse is often if you're not logged in and then you get prompted to create an account in the flow. Let's say you haven't been there in 5 years.
Now you don't know if you've signed up or not so you Russian roulette yourself and if you're lucky, this time, it'll be a new account.
Because if it's the 5 year old account often it'll trigger all these legacy catch up things "oh redirect to the new terms of service. Give tour of new website, notify about mobile app, what were we doing? I completely forgot"
On Priceline for instance, if you sign up for a credit card to get $100 off the flight and then click an existing account to complete the transaction and not a new account, it gets completely confused and your discount vanishes.
It's a complex solution for a simple problem that appears to be friendly but in practice becomes user hostile because it's creating mountains of edge cases most have no interest in fully supporting.
It also gives a very poor understanding of how many human users you have. Those account creating metrics sure look great! Then you dig in and realize a bunch of people have 3 or 4 accounts, mostly unwittingly because there's an interface to encourage creating multiple unconnected accounts.
They don't realize it. They'll be on one device and stayed logged in. Then they get a new phone, forget how they logged in and bam, new account.
Your users would really prefer if it was just 1 account. A lot of your support load would go down if it was 1 account, you'd get better sales, have higher reviews, but here we are anyway.
And in the end, with a bunch of choices it's just another form of the memory game, which is the same cognitive user flow of the password, since 99% of users just reuse a handful of passwords on every site.
What makes it worse is even though only one flow in the multiple login system is the one you want, every other one will still work.
It's like being forced to take home the goat in a web version of Monty Halls Let's Make a Deal. Instead of seeing an error you're stuck with a new account that nobody on any side of the business flow wants.
Don't pick a name for your service that when googling it results in a full page of links to the coffee style and not to your service. (So how do I actually visit Cortado??)
> Only 38% of people did this. If I had instead captured everyone as soon as they showed enough interest to leave an email address, I could’ve increased my conversion rate by 250%.
How many of these were real losses and how many were people who put the wrong email address in the box, only to realize when they didn't get the verification email?
I have a very early gmail address, first initial + last, name. I can't tell you how many verification emails I get that I never signed up for. Those aren't the bad ones though, the bad ones are when I get emails about Kay's upcoming surgery and follow-up appointments, Kim's yarn orders and Ken's mortgage documents. (All of these are real examples).
Strong email verification flows aren't just anti-bot. They're a level of defense against clumsy users.
You can add "don't require a user to be more interested in order to get more interested." For example, it's annoying when I'm trying to decide where to eat and a restaurant's website won't show me a menu until I select a location and start an online order.
The flip side of that is your annoyance when you've just settled on what to eat tonight, but then it says "Sorry, you're in Alaska. All menu items cost 50% more, and the exact thing you wanted isn't available in Alaska"
I had the exact same experience on my app's website (https://mimestream.com) as well. I think initially, I was nervous about offering a beta download, so I wanted to manually vet each subscriber and manually send invites. Of course, even a 2 or 3 hour gap resulted in very poor conversion. Presenting the beta download link immediately after a user provided an email, obviously, has resulted in a world of difference.
From a mobile developer's perspective, I feel like a lot of these problems can be solved by using "Sign in with [Blah]" buttons. It requires a 1-2 taps for the user the sign in and almost always requires no email verification. Seeing that Sign in With Apple is also available on Safari, maybe this trend will slowly creep into the web and eliminate some of the problems the author was talking about.
Please, keep the confirmation email. I get tons of email sent to one of my account because people register for some mailing list or other service and enter MY email address as theirs. If I get an email to confirm, I can safely ignore it and be done with it. Otherwise, it is a major annoyance.
ReCaptcha may be seen as useful to cut down on the number of bots but it screws things up royally when trying to navigate in private mode, or using a VPN.
> Please, keep the confirmation email. I get tons of email sent to one of my account because people register for some mailing list or other service and enter MY email address as theirs. If I get an email to confirm, I can safely ignore it and be done with it. Otherwise, it is a major annoyance.
Seconding this. As a holder of firstname at a-mainstream-email-service, I've had to unsubscribe to mailing lists far too often.
If a service doesn't offer me a way to unsubscribe, sometimes I have to recover the offending account's password and request for the account to be deleted.
We implemented a random fake client-HED34A@mycompany.io account being automatically created upon a user hit's our 'Get Started' Button. The user can then lateron decide to create a real account. If our client wants to come back later they can either write down their fake & random email@mycompany.io & login just with that (it's only known by them) or enter their real address
I would love this browser experience when visiting a new website: "<name of site> would like to create an account for you with your (previously vetted) profile data and email. Shall I create a random password and save it to your secure Google account before agreeing?"
And then hitting "Yes" does just that, and I'm in.
The same workflow could be used for shipping info and CC info.
This is true, but I think there's something to be said about the strength of your product market fit if users put up with really shitty user experience.
Also, it says "Click to register" ... which I feel like I've already done. I think the wording should be revised to say something more like "Confirm your registration".
If someone can’t be bothered to click a verification email, then removing that step is not going to magically turn them into an active user. More likely they will be one of the many people who leave after a few minutes.
I do a signup/onboarding optimization for startups, and here’s what I found from a recent project:
1) The verification email was NOT a significant bottleneck to signups. That is, most people clicked the link.
2) Removing the verification step did NOT have a meaningful impact on conversion rates.
If you don’t have a problem with user quality then sure, avoid the verification step. But if you have a good reason for the verification step then don’t sweat the drop-off rates.
And more importantly: Treat signups as a leading indicator of success, not the ultimate goal.
Edit: On second reading I see the author is talking about a verification step that requires an admin approval, which could take hours. Yeah, don’t do that.