Verify User Emails

Authway uses e-mail addresses as the default username and to ensure that the user can have control over their account it is important to verify that the user is in control of it. We recommend that e-mail verification is required and this is configured for the service by IRM (during initial configuration or added later).

The verification is done in one of two ways:

1. If the user is invited, the invitation is send to the user e-mail with a magic link. When the user clicks the link to create their account, the e-mail address is verified by the magic link. The magic link is by default valid for 3 days.
2. If a verified e-mail is required (by the service configuration) and the user email is unverified, the user will be required to verify the address during sign-in. This is done by sending a time-based one-time password (TOTP) containing six numbers to their e-mail address. When the user enters the correct code, the e-mail address is verified and the user can continue. The code is is valid for about 15 minutes.

The second option is very common after migrating users or when the requirement to verify e-mail address is turned on after the service have been used for a while. Invited users will always get their e-mail verified through the invitation, even if it is not required by the service.

It is also possible that the e-mail address is automatically verified by a trusted external sign-in, such as Microsoft Entra ID (Azure AD).

Requirement to verify the e-mail address can also be configured differently per organisation (tenant).