Problem statement
If a user has “email verification=pending” in Auth0, the user should not be able to log in at all until the e-mail is verified. However, the actual behavior indicates that if they use the Auth0 Reset Password form and reset their password, they can then log in, even though their email is still “pending”.
Solution
This is intended behavior and is not a recent change. As the Reset Password flow requires the user to access their email account, the same criteria as being able to access the Verify Email, resulting in setting the email_verified flag to true since this is technically doing the same thing - proving ownership of that email account*.*
As mentioned in our docs:
“Keep in mind that in the default flow, the email delivery verifies the identity of the user.”
There is no existing method to disable email verification on reset password. Per the engineering team, access to the user’s email account, such as resetting their password, proves ownership of the account, the same as accessing the Verification Email, so this will also verify accounts.