Enhancing User Verification: OTP, Links, and Flexible Authentication Options

[icotd]

• Choose Verification Method: Instead of only a verification link, consider implementing an OTP verification method or providing both options (choose verification method: Link or OTP).

  • If the email fails to reach the user due to server issues or delays, the user cannot verify their account. With an OTP, a new code can be easily regenerated and sent again.
  • Users are now more familiar with OTP-based workflows due to their widespread use in two-factor authentication systems.
  • Links can be intercepted (e.g., through phishing or insecure email handling), whereas OTPs present a smaller attack surface.
  • OTPs can be delivered via email, SMS, or even voice call, offering greater flexibility.
  • Mobile users often find it easier to copy or remember a short OTP than to switch apps to open a link.

• Recovery Options:

  • A recovery email (backup email) is essential in case the user loses access to their primary email.

• If Implementing OTP Verification:

  • An SMS verification option can encourage users to provide valid phone numbers (e.g., Twilio API supports SMS, WhatsApp, and other platforms for sending OTPs).
  • Allow login using either an email or phone number (search users by email or phone) for greater flexibility.
  • A recovery phone number would serve as an additional backup option.

• Improving the Landing Page Experience:

  • The current landing page (OpenID Connect discovery, Account, Admin, Documentation) is not user-friendly. Since the name suggests "Admin console," it should only be accessible to administrators. A login page would be a better default landing page.
  • Instead of displaying a 404 error for /auth, redirect users to the login page.

• Additional Recommendation:

  • Add a default environment variable for phone country codes (e.g., PHONE_COUNTRY = US [alpha-2 format]).