No-touch sign up security risk?


My SaaS startup is considering implementing a new sign-up procedure, but we're worried about security and false accounts.

Current Method

  1. Prospect fills out free trial form
  2. We get an email from the system with their information
  3. We manually confirm it's a human (an actual email, etc
  4. We manually create the account for them, and the system emails them a link

The problem is that there is a delay between sign up and use, which is definitley a leak in our funnel.

Proposed New Method

  1. Prospect fills out free trial form
  2. The system automatically sends our a free trial link without our involvement

We get a lot of spam from our contact form and free trial form now. Is there any increased risk of the new method vs. the old method? Does anyone have experience transitioning from one to the other?

Saas Security

asked Mar 4 '10 at 23:48
61 points

3 Answers


How come a captcha and an email with activation link don't work anymore? I suggest these 2 things - they are a de-facto standard, used by virtually all major sites.

answered Mar 5 '10 at 02:06
Oleg Kokorin
459 points


I understand the desire to block auto signup spam, but what type of security risk are you concerned about that wouldn't be there already with a captcha solution? Sure, the user isn't validated - but i don't believe that your solution would have the same problem as a forum looking to minimize viagra spam postings would.

There was a good conversation about this topic - captcha vs email conversation vs none which may be of use.

Is there a way to allow people to experience the product without signing up? Then after entering in information they have to create an account to save it? I don't know if this is a valid approach for your offering, but it does work with some companies - once you've entered in some info to see how it works, you are more compelled to create an account to save your work.

Once could incorporate some form robot anti-spam techniques like bad behaviour to minimize your exposure, then integrate a manual validation process via mechanical turk to keep the list scrubbed.

answered Mar 5 '10 at 05:03
Jim Galley
9,952 points


You definitely need to automate this process. You should be able to find several libraries for using a confirmation email process to activate the account. This is very common, automated and pretty reliable. Captcha is another option that can be used in addition to the email confirmation.

answered Mar 5 '10 at 15:18
892 points

Your Answer

  • Bold
  • Italic
  • • Bullets
  • 1. Numbers
  • Quote
Not the answer you're looking for? Ask your own question or browse other questions in these topics:

Saas Security