I was confused by this explanation for preferring codes to links for email verification:
This approach should be preferred over using links. People are increasingly less likely to click on links, and some filters may block emails with them. Using links also limits what device the user can use to create an account (eg. the user doesn't have access to their mailbox on their phone).
Avoiding links in emails to avoid filters and similarity with phishing emails makes sense, but I didn't understand the scenario where a user's phone might have access to their verifying application, but not their email. The source material for this section gets a little more specific, so I incorporated some of that explanation.
I also re-worded the should be preferred statement, because it's not always the case (e.g. a longer token embedded in a link is a more secure, less error-prone verification option for changing account contact information, initial account signup, etc.).
pilcrowOnPaper
commented
2 months ago
I was confused by this explanation for preferring codes to links for email verification:
Avoiding links in emails to avoid filters and similarity with phishing emails makes sense, but I didn't understand the scenario where a user's phone might have access to their verifying application, but not their email. The source material for this section gets a little more specific, so I incorporated some of that explanation.
I also re-worded the should be preferred statement, because it's not always the case (e.g. a longer token embedded in a link is a more secure, less error-prone verification option for changing account contact information, initial account signup, etc.).