New users must verify their email address twice
Question
We just upgraded to Hosted Login v2, and it works great. But there is one problem: for some reason, new users have to verify their email addresses twice. Is there a way to prevent that?
Answer
Technically speaking, to upgrade to Hosted Login v2 you only need to do one thing: change the value of the loginURL property in your login policy. Thatās it: add v2 to the correct spot in the loginURL property and, just like that, youāll be upgraded to Hosted Login v2.
But while that works, there is a problem with only carrying out that single step. By default, when a user creates a new account, theyāre sent an āold-fashionedā click-this-link-to-verify your address email:
If the user dutifully clicks that link theyāll be thanked for verifying their email address; for good reason, theyāll also assume that their email address has been verified and they can now log in.
But no; instead, while all this was going on the user was sent a second email, one that contains an access code they must enter as part of the login process:
Only then will their email address be verified and only then will they be able to login.
In other words, one email address, two verification emails, and two different verification processes. Is there a reason for that?
As a matter of fact, there is. The problem here is that the two forms users can employ to create accounts ā the traditionalRegistrationForm and the socialRegistrationForm forms ā are designed to send verification emails after the form is submitted. (Thatās the first email our hypothetical user received.) Meanwhile, Hosted Login v2 is designed to send an access code email any time a user creates a new account. As a result, a new user gets two verification emails: one containing the verification link used in Hosted Login v1 (and built into the traditionalRegistrationForm and the socialRegistrationForm forms), the other the access code email used in Hosted Login v2.
In some cases, like this one, twice as much isnāt really twice as good.
Fortunately, thereās an easy way to fix this problem: just modify the traditionalRegistrationForm and the socialRegistrationForm forms to ensure that they donāt send verification link emails. That way, users will only get the access code emails sent by Hosted Login v2. See Modify 2FA registration forms for step-by-step instructions on how to modify the two registration forms
Instead of modifying the forms, couldnāt you make some sort of modification that tells Hosted Login v2 not to send an access code email? No, you canāt: Hosted Login v2 needs those access codes to proceed (i.e., clicking an email verification link without submitting an access code simply wonāt work). On top of that, access codes have some advantages over verification links, the biggest one being the fact that email clients often disable links included in an email. As a result, a user ends up being sent a link that canāt be clicked; that leaves it up to the user to figure out that they can copy that link and paste it into their browserās address bar. Similarly, to help guard against phishing many users have been taught not to click links sent to them via email; as a result, they might be reluctant to click the link that verifies their email address. Access codes provide a way around both those issues.
Updated 3 months ago