The most secure way to handle someone forgetting to verify their account?

What I see most commonly is allowing the authentication and signing the user in, but locking meaningful features away until the email is verified. You should bubble up an error reminding the user to re-send an activation email if they try to access one of the restricted features.

It is poor design to ever lie to a user - if they submit the correct username and password, you should never show an error claiming that either is incorrect.

I agree with Buffalo5ix, but email verification should not be considered a part of account security. Email verification:

  • proves the ownership of the address, just to know that the user has entered correct address for you to send spam password recovery emails.
  • serves as a very light deterrent for registering multiple fake accounts. It's pretty easy to automate the creation of email addresses (by using tempmail/hosting your own email server) and automatically click the validation links, so CAPTCHA would be a better system to protect against automated registration of fake accounts.

I can't see any security-related reason why you should lock the unverified accounts in any way. [CLARIFICATION: I’m not arguing that you should send messages to unverified email accounts, that would be at least spammy and at worst give random person the ability to reset account password if the user mistyped their email. I’m saying that account login shouldn’t be disabled, sending email to unverified address obviously should be.]

I prefer the small banner on top of the screen reminding me to verify account and prompting to re-send the verification email. Treating user like a suspected criminal or nagging them right after they've registered just isn't polite, make them welcome.

You don't want to leak the information that the username exists in response to an unauthenticated login attempt. That would allow attackers to determine which of the email addresses on their list exist with your service.

But if the user logs in with the password that they supplied upon registration, that's not the situation you're in. You know (as much as you ever do with passwords) that the person logging in is the same person who registered that password. So there is no harm in telling them that their username exists; they know that, since they registered it!

What you don't know is that this individual actually does control the email address you have for them. That's actually unrelated to verifying the identity of the person logging in with a password. You might want to use it as an alternative means of proving their identity (so they can recover from losing their password). Not having verified their email means you can't safely do that (since you don't know that the person who registered controls that email address), so their control of their own account is not safely established. But it doesn't mean you have any more reason than normal to doubt that the password proved who they were, and treat them as an unauthenticated user.

If you decide it's important not to allow users to log in and use your service without verifying their email, then once you've established the identity of the person you're communicating with you should simply tell them that's what the problem is and let them address it.