Hi,
Suppose this scenario using “Classical” Auth0 Login, :
Alice created the account for bob@gmail.com through the sign up form.
Bob’s account was then created and an activation email was sent.
Bob DID NOT and WILL NOT open the e-mail but instead, went back to sign up HIMSELF after one month.
While submitting the signup form with bob@gmail.com, Auth0 warned that user already exists.
Bob got so confused because he doesn’t make the link with Alice’s action.
The only way to login for Bob is to click on “forgot my password”, that is literally a poor UX way to pass authentication part.
If you try www.alibaba.com/ for instance, you will see that they handle this use case by NOT considering a non-validated account to be EXISTING, and send to the user another activation email.
I imagine that Auth0 ensures unicity across e-mail, but how to handle this signup/login scenario the same way as Alibaba does?
I’m afraid that there’s no built-in feature designed for that specific case, however, you can somehow control that yourself by for example implementing a cleanup process through the Management API in which you delete unverified email accounts after a certain amount of time. You should likely make this clear to end-users, but if you inform them of this process then you would reduce the impact of the flow above, because it would be likely that once Bob tries to signup is sufficiently far into the future for the previous account already having been cleared.
I understand that the above has other implication and does require some additional logic; there may be other alternatives, but likely all with some overhead to your implementation so with this in mind I would also recommend you to leave feedback about this product gap through Auth0: Secure access for everyone. But not just anyone. as that is a channel directly monitored by our product team.
1 Like