Open
Description
-
Choose Verification Method: Instead of only a verification link, consider implementing an OTP verification method or providing both options (choose verification method: Link or OTP).
- If the email fails to reach the user due to server issues or delays, the user cannot verify their account. With an OTP, a new code can be easily regenerated and sent again.
- Users are now more familiar with OTP-based workflows due to their widespread use in two-factor authentication systems.
- Links can be intercepted (e.g., through phishing or insecure email handling), whereas OTPs present a smaller attack surface.
- OTPs can be delivered via email, SMS, or even voice call, offering greater flexibility.
- Mobile users often find it easier to copy or remember a short OTP than to switch apps to open a link.
-
Recovery Options:
- A recovery email (backup email) is essential in case the user loses access to their primary email.
-
If Implementing OTP Verification:
- An SMS verification option can encourage users to provide valid phone numbers (e.g., Twilio API supports SMS, WhatsApp, and other platforms for sending OTPs).
- Allow login using either an email or phone number (search users by email or phone) for greater flexibility.
- A recovery phone number would serve as an additional backup option.
-
Improving the Landing Page Experience:
- The current landing page (OpenID Connect discovery, Account, Admin, Documentation) is not user-friendly. Since the name suggests "Admin console," it should only be accessible to administrators. A login page would be a better default landing page.
- Instead of displaying a 404 error for
/auth, redirect users to the login page.
-
Additional Recommendation:
- Add a default environment variable for phone country codes (e.g.,
PHONE_COUNTRY = US[alpha-2 format]).
- Add a default environment variable for phone country codes (e.g.,
Metadata
Assignees
Labels
No labels
Activity