User 1 is an account administrator and can create (invite) other users to the account. The user 1 enters an email address for the user 2. The user 2 receives a welcome email to that address with a link to confirm. By clicking on this link, user 2 goes to the site to create a password and login.
Security is extremely important in this area. Therefore, there is a lot of concern about what should happen if the user 1 uses a wrong email address for the user 2 and the sneaky user 3 receives it instead. The user 3 could create an account and do some damage.
One solution that I consider is that the user who receives the welcome email will have to check other information that we have also collected from the user 1 on his behalf (for example, l & # 39; user 2 will have to provide his full name and phone number). number after clicking on the link in the welcome email). I like this approach, but I'm afraid that the data does not match exactly and that the user 2 legitimate is facing unnecessary friction. For example, what if the user 1 misspelled his name or puts a business phone number instead of his direct line? As far as I know, users 1 and 2 already have an existing relationship, so that user 1 must be able to communicate any special registration criteria to the user 2.
It sounds a bit complicated and reminds me of http://xkcd.com/970/, as if we were building a lot of validation around something that will probably be filled in correctly 99% of the time. But we chose to use account administrators instead of letting each user sign in individually, because there are hundreds of accounts in the system and new users must be associated with at least one account to be able to sign in. perform anything.
Does anyone know of any other service where you need to be invited and validates certain information before you allow them to enter?