“We had 100 signups today!” is one of the most beautiful things you can hear as a young startup. It’s a sign that you’re doing something right. Your product solves a real problem. Your marketing is getting in front of the right people. Your signup flow is working and low friction!
What if we’re wrong?
When we get those 100 signups, we assume they’re interested users who will do something productive with our product. But at this moment in time, they’re just accounts. They’re just anonymous email addresses which might be a real person, might not be a bot, or might be a bot that’s hijacked a real person’s email. Until we understand what that account represents and how to interact with them, these 100 signups are more hopes and dreams than Product Qualified Leads (PQLs).
Before we can get a user into our product, we need to make sure they’re a person. To map this concepts we already use, let’s call this a “user verification funnel” where we’ll start with everyone who can possibly sign up and apply filters to keep out the bots, bad actors, and noise.
At the broadest level, we can apply the simplest tool available to everyone: a CAPTCHA. A CAPTCHA is a quick challenge-response test to determine if the user is a person. Ideally, it should mitigate bots and spammers but realistically this is an ongoing arms race where spammers iterate, providers improve, generative AI improves, and we keep going. While this is a useful step, it’s not good enough alone.
At the next level, we can think about the connection or request context. Every request to your site comes from an IP address.
Some traffic comes from countries where you are legally barred from operating like North Korea or Cuba. Further, there may be countries that you don’t want to do business with. If you’re a banking app for the US market, you may want to block EU users from registering at all. By using our Embargo Service, you can exclude some markets and focus on the markets where you can support the language and legal requirements.
Finally, it turns out there are bots on the internet. A lot of bots. By some analysis, nearly half of the traffic on the internet is bots. While not all are malicious, even the best behaved bots do not represent real users. Luckily, there are services out there that track bot traffic and let us detect and block the IP addresses where those bots originate.
Now that we’ve eliminated most of the bots and excluded countries outside our target markets, we can analyze the user directly.
First, during the registration process, we can analyze the email domain. Obviously we should exclude disposable and malicious domains but newly registered domains can also be suspicious. At minimum, we want to focus on existing businesses and new domains are a negative indicator.
Then we can interact with the user via email verification. With email verification, we send an email to the user with a link to click or a one time code to paste back into the user flow. While bots can read an email inbox and click a link, we’ve probably filtered out most in the previous steps.
Where this becomes more valuable is the email itself. If we can confirm it’s real and a user has to take an affirmative action, that improves Marketing’s email bounce rate and potentially open rates. From a Product perspective, it also increases the odds that there’s a person with real interest in the product.
While we normally consider Multi-factor Authentication a security feature, what if it meant something more?
First, you may be able to draw conclusions about the user themselves. If someone attaches a social profile, you are more likely connecting it to a real identity which may be useful for qualification. Alternatively, if someone enrolls in SMS or TOTP for MFA, they’re taking additional steps to enroll their device or app. Either way, it’s an indication they care about the security of this account. With SMS specifically, you have another indicator this is a real, live person.
Warning: If a user chooses SMS as a factor, do not use their phone number for marketing or sales. While it technically works, it’s a breach of trust. A phone number provided for security is not a marketing channel.
At this point, we should have confidence that our previously anonymous email addresses are probably real life people who may be interested in our app. Unfortunately, bad actors iterate on their attacks. A new bot network can form and attack our systems. A previously real user’s account could be compromised and used by bots. The countries we can deal with can change with market or legal changes. Regardless of our reasons, we have to iterate on our approach.
In addition, we might discover new patterns that serve as positive and negative indicators to user intent. For example, a user who signs in from the same few IP addresses regularly could be using your app from home and work. Alternatively, someone who signs in from vastly separate places – like London and New York – in a matter of minutes, we can likely discard this user as fake.
Now we have a wildly different world.
Instead of those anonymous email addresses, we have something that much more closely resembles a real person. Unfortunately, we also lost some of our signups: instead of the 100 we started with, we're down to 75 or even 50 but each of those are better qualified and more useful for analyzing for onboarding, activation, adoption, and eventually revenue.
In the short term, it stings.
In the long term, we gain a more accurate and actionable view of our world.
If you want to protect your registration and onboarding, check out our AuthN service to enable these capabilities in a few clicks.
Use Cases
Case Studies
Services
Developers
636 Ramona St, Palo Alto, CA 94301
PrivacyTerms of UseYour Privacy ChoicesContact usPangea is a Sample Vendor for Composable Security APIs in the 2024 App Sec Hype Cycle™ report