we have been featuring the Passwordless authentication on Wanderio apps for some months now, but many users struggle with the flow.
In particular, we see very high rates of “Wrong email or verification code” errors, which are encountered by up to 30% of users. We know this can be caused by expired links, but this is not the case as we have verified it happens also on brand-new links (and we have increased the expiration time of the links anyway).
I have attached a screenshot of what we typically see from the logs:
that is, users that request the link and then fail to exchange the code for the access_token.
We would like to know which are all the cases in which this error is triggered – as the description is very generic and, I have to say, it doesn’t help much.
I was having a very similar issue that started two days ago. I have an Angular2 web app usingUniversal Login with passwordless authentication and verification code. I’m pretty sure Auth0 made a change that affected the passwordless process. I found that my problem was that I wasn’t clearing the SSO Cookie but instead just passing the prompt=login option to the authenticate call. Instead I had to clear the SSO cookie by calling the logout endpoint and remove the prompt=login option in the authenticate call. If I don’t clear the SSO Cookie then when I called the universal login page it wouldn’t even show up but immediately send me the “no email or verification code” message.
Hi @tcarter, thank you for your reply. I am not sure it is our case, we just send the passwordless email by calling the passwordless/start API endpoint.
Also, the error message seems a bit different, you get “no email or verification code”, while we get “wrong email or verification code”
Is there a way this topic can be brought to the attention of someone at Auth0? I am not asking to debug our issue, I am just asking for a better understanding of which situations can result in this error message.
I am having the same exact isssue. I was told to switch to universal login (from embedded lock), but continue to have the same problem: error=unauthorized&error_description=Wrong%20email%20or%20verification%20code.
I think the issue is similar but not the same: it looks like the verification code is passed but is wrong, while in your case the code is not provided at all
Sure! We received a few of those recently and are currently investigating and reproducing it trying to establish the reason. I’ll get back to you as soon as we have something to share!
Hi @konrad.sopala, do you have any updates on this? I have just asked if you could detail better which situations produce the Wrong email or verification code error.
I created an SPA using react and used npm auth0-lock for passwordless authorization. It’s working fine for my email Id, but it’s failing for the customer who is trying to login through our portal.
I am seeing the below logs in auth0 dashboard
I am having the same issue on iPhone. It works for some people and doesnt work for others. It might have to do with what browser and email client they use. So far, 2 people who use the GMail app have the problem. Even if they copy the link to the same browser where they initiated the login. Any suggestions on how to debug it on an iPhone?
Ok, I think I’ve managed to find the problematic scenarios. Everything works fine if you use the standard iOS Email app and Safari browser (if it is your default browser). Everything also works fine if you use a GMail app and Chrome browser. However, if you try to use GMail and Safari then that combination doesn’t work if you just click on the link because the GMail app will try to open the link in a Safari browser window within the GMail app which runs in a different context (it will not have the auth0 cookies which were added when login was initiated) and therefore the login will fail. If you copy the link (without previewing it) and paste it in the Safari browser then the login works just fine. The problem is with copying - at least on my phone which has 3D touch. As soon as I click on the link, iOS will try to preview the page which in turn will use and disable the link (since it is OTP). So the workaround I used was to highlight the link as text and copy it like that and paste it in the browser and it worked. However, it is not a great experience for users. So I will be looking to update the email template for passwordless to change the link from a link to simple text so users can copy it like text without accidentally opening it.
This leads me to the next problem I had, which is updating the email template. It seems the template that is used is not the one under Authentication/Passwordless/Email - I’ve changed it and can see no effect. Does anyone know how to find and update the email template that is used to send the magic link? Thanks
Hi @konrad.sopala , I’m now running into a different problem which is that the email app converts every text that looks like a link into a hyperlink. I think it is possible to trick it by adding extra spaces or extra tags (e.g. http:< span >//{url}</ span>, however I think we only get access to {{link}} in the email template? Is that right? Or do we get more variables to play with? What would be useful is different parts of the link. Unless you know a better way of tricking the email client into not creating hyperlinks. Thanks