User Onboarding and Account Security
This flow explains how end users create accounts, sign in, recover access, and keep accounts secure.
What customers can do
- Register with email and password
- Register or sign in with supported OAuth providers
- Enable multi-factor authentication (MFA)
- Reset password by email link
- Keep sessions active across devices, then log out when needed
Recommended onboarding flow
flowchart TD
start[UserStartsRegistration] --> sendEmail[RequestVerificationEmail]
sendEmail --> emailLink[UserClicksMagicLink]
emailLink --> setPassword[SetPasswordAndCreateAccount]
setPassword --> autoLogin{AutoLoginEnabled}
autoLogin -->|Yes| activeSession[SignedInSession]
autoLogin -->|No| loginPage[GoToLogin]
activeSession --> mfaSetup[OptionalMfaSetup]
loginPage --> manualLogin[EmailOrOAuthLogin]
Registration
- User submits email (and optional referral code).
- System sends a time-limited link to that email.
- User opens the link, sets password, and completes account creation.
- If auto-login is enabled, user enters with a live session immediately.
Sign-in options
- Email + password
- OAuth provider login
- MFA challenge when enabled
For enterprise UX, provide clear fallbacks: “Try another login method” and “Reset password.”
Password reset
- User requests reset email.
- User opens time-limited link.
- User sets new password.
- Existing sessions are invalidated for security.
This is expected behavior and should be explained on the reset success screen.
Session behavior
- Access remains active through access and refresh token lifecycle.
- Users can refresh sessions and continue without full re-login until refresh lifetime ends.
- Security-sensitive changes can require re-verification.
What customers cannot do
- Use expired or already-used email links
- Keep old sessions alive after a successful password reset
- Remove their last remaining login method (at least one method must remain)
- Bypass MFA once it is required for their account actions