User's email_verified Flag to be Set to True once the User Reset their Password

Last Updated: Dec 18, 2024

Overview

If a user has “email verification=pending” in Auth0, the user should not be able to log in at all until the e-mail is verified. However, the actual behavior indicates that if they use the Auth0 Reset Password form and reset their password, they can then log in, even though their email is still “pending”.

Applies To

  • Password Reset

Solution

This is intended behavior and is not a recent change. As the Reset Password flow requires the user to access their email account, the same criteria as being able to access the Verify Email, resulting in setting the email_verified flag to true since this is technically doing the same thing - proving ownership of that email account*.*

As mentioned in our docs:

“Keep in mind that in the default flow, the email delivery verifies the identity of the user.”

There is no existing method to disable email verification on reset password. Per the engineering team, access to the user’s email account, such as resetting their password, proves ownership of the account, the same as accessing the Verification Email, so this will also verify accounts.