7

Has Facebook always verified the email addresses for their users? I am building an app with Django (using python-social-auth) where I want people to be able to login with their Facebook account. As far as I understand, the email is always verified. Even in the case when the person who has signed up used his/her phone number. If they enter an email later on, this email will still be verified.

However, I am not sure this was the case earlier. Can we trust that all the emails have been verified by Facebook for all the accounts?

elena
  • 3,740
  • 5
  • 27
  • 38

2 Answers2

8

More recently, the short answer is: Yes, if you get email from Facebook, this is verified email.

Also, remember that users may not have it set (i.e. phone registration) and probably, if you want to handle them, you will need to extend your pipeline to verification. (But that allows you to handle for example twitter)

Anyway, more info in twin topic: Is it possible to check if an email is confirmed on Facebook?

Community
  • 1
  • 1
Rodbert
  • 151
  • 3
  • Thanks for your reply. I have read the other reply and in one of the answers it says that by querying http://www.facebook.com/search/results.php?q= with an unverified email address, you shouldn't get any results. I have myself created an account and tried to check this, but it seems that I get a result (fname, lname) even for an account that has an email unverified. – elena Nov 02 '14 at 16:15
  • Ok, i tried to test(hack) it today, and i cannot get any unverified email from oauth. Every time when i ask for unverified email i got empty string, and facebook.com/search/results.php?q= returns account. In conclusion, I'm pretty sure that this is safe. I tried: registration via mail and verifying via phone, and registration via phone without primary mail set or set and not verified. – Rodbert Nov 03 '14 at 12:19
1

In case anyone finds this question again, as of 2021, Facebook's documentation says that the email obtained from Facebook needs to be verified.

"1. Ensure the Facebook Login email address is verified

If you use an email address as the unique credential which identifies each account, your app should verify that the email address associated with the person's Facebook account (and obtained during Facebook Login) is valid. You can do this by creating code in your app to send a verification email to the address obtained after Facebook Login."

Source: https://developers.facebook.com/docs/facebook-login/multiple-providers#postfb1

Source Image

code007
  • 2,306
  • 2
  • 19
  • 26
  • 4
    Facebook's docs on this matter are misleading. They provide contradicting information on the same page. https://developers.facebook.com/docs/facebook-login/multiple-providers#associating2 says you can trust the email, yet https://developers.facebook.com/docs/facebook-login/multiple-providers#postfb1 says you have to verify the email. They say that if you already have a user with the same email you received from FB, then you can trust the FB email. Yet, if it's a net new account logging in via FB, then you have to verify the email. Makes no sense... – Leonid Makarov Oct 13 '21 at 05:56