Feature: allow option for OTP for email validation & password reset and add a step to the flow where Auth0 waits for the code in the same tab during registration.
Send a secret code (something easy to read and type - usually 6-8 letters and/or numbers) to the user’s email that is used to validate their access to the email during registration and password reset. When you register or reset your password, you wait at an interstitial page until the user enters the code from email, upon which time the user is then redirected back to the page they began at, being logged in (and in the case of validation, having their email validated).
This would be an option to replace the current feature of sending a specially formatted link.
We built our own oauth2 provider before moving to Auth0, and we started with a link, too, but it disrupts the user’s experience in client application.
The key points here are that we don’t want anyone to be logged in if they haven’t validated their email address yet. That puts too much of a burden on our application developers to constantly think about whether or not a logged-in user is validated or not, and restrict what they can see and do. So instead, we don’t allow anyone to be “logged in” until after they’ve validated their email.
The problem then, is what happens when you’ve entered email and password, but haven’t validated your email yet? Auth0 basically forces us to return you to the application without actually being logged in, which is confusing. I just entered an email and password and I’m back at the application, but not logged in. There’s currently no way to “wait” in the registration flow until the user has validated their email, and then let them continue on back to the page where they began.
Magic Link Example
For example, you are navigating a shopping site, and you find exactly the right product to buy, but you need to register to make the purchase. You go to sign up, and we ask for email verification. With auth0 right now, we have to direct the user back to the product page, but still not logged in. They then get a link in their email, which opens a new tab, and their email is validated, but they’re still not logged in, and that tab redirects back to the front page of the shopping site. This is very frustrating for the user, and results in lost sales for our e-commerce folks (they hate that!).
With an OTP flow, the user would click sign up from the product page, enter email and password, then sit at a page that says something like “check your inbox for a magic link to verify your email address”, with a textbox for entering the code. They’d go check their email, find the code, copy and paste or just type it into the textbox, click next, and they get redirected back to the original product page, all logged in with their email validated.
This is a much better flow for the users because they stay in the same context of a single tab, and get back to exactly the same location they were before they signed up. (This is also what Amazon uses on their storefront).