New users must verify their email address twice


We just upgraded to Hosted Login v2, and it works great. But there is one problem: for some reason, new users have to verify their email addresses twice. Is there a way to prevent that?


Technically speaking, to upgrade to Hosted Login v2 you only need to do one thing: change the value of the loginURL property in your login policy. That’s it: add v2 to the correct spot in the loginURL property and, just like that, you’ll be upgraded to Hosted Login v2.

But while that works, there is a problem with only carrying out that single step. By default, when a user creates a new account, they’re sent an “old-fashioned” click-this-link-to-verify your address email:

If the user dutifully clicks that link they’ll be thanked for verifying their email address; for good reason, they’ll also assume that their email address has been verified and they can now log in.

But no; instead, while all this was going on the user was sent a second email, one that contains an access code they must enter as part of the login process:

Only then will their email address be verified and only then will they be able to login.

In other words, one email address, two verification emails, and two different verification processes. Is there a reason for that?

As a matter of fact, there is. The problem here is that the two forms users can employ to create accounts – the traditionalRegistrationForm and the socialRegistrationForm forms – are designed to send verification emails after the form is submitted. (That’s the first email our hypothetical user received.) Meanwhile, Hosted Login v2 is designed to send an access code email any time a user creates a new account. As a result, a new user gets two verification emails: one containing the verification link used in Hosted Login v1 (and built into the traditionalRegistrationForm and the socialRegistrationForm forms), the other the access code email used in Hosted Login v2.

In some cases, like this one, twice as much isn’t really twice as good.

Fortunately, there’s an easy way to fix this problem: just modify the traditionalRegistrationForm and the socialRegistrationForm forms to ensure that they don’t send verification link emails. That way, users will only get the access code emails sent by Hosted Login v2. See Modify 2FA registration forms for step-by-step instructions on how to modify the two registration forms


Instead of modifying the forms, couldn’t you make some sort of modification that tells Hosted Login v2 not to send an access code email? No, you can’t: Hosted Login v2 needs those access codes to proceed (i.e., clicking an email verification link without submitting an access code simply won’t work). On top of that, access codes have some advantages over verification links, the biggest one being the fact that email clients often disable links included in an email. As a result, a user ends up being sent a link that can’t be clicked; that leaves it up to the user to figure out that they can copy that link and paste it into their browser’s address bar. Similarly, to help guard against phishing many users have been taught not to click links sent to them via email; as a result, they might be reluctant to click the link that verifies their email address. Access codes provide a way around both those issues.