Skip to main content
Docs
Dashboard

Sign-up and sign-in options

Clerk provides multiple options for configuring a sign-up and sign-in flow for your application, such as identifiers and sign-in options. This guide will walk you through each option.

You can modify your authentication options after your application has been created by navigating to the Clerk Dashboard and selecting any of the options under User & Authentication in the left sidenav.

User profile & sign-up

Identifiers

Identifiers are how your application recognizes an individual user. The following identifiers are available:

  • Email address
  • Phone number
    • SMS authentication is a premium feature and not available on the Free plan. Upgrade your plan to enable this feature.
    • SMS functionality is restricted to phone numbers from countries enabled on your SMS allowlist.
  • Username
  • First and last name

For more information on configuring identifiers, navigate to the Email, phone, username page in the Clerk Dashboard.

Sign-in options

To configure the options available to users for signing in, navigate to the Email, phone, username page in the Clerk Dashboard and select the Sign-in options tab.

The easiest way to allow your users to create and manage their sign-in options is to use the prebuilt <UserProfile> component. If you're building a custom user interface using the Clerk API, refer to the custom flow guides.

The following sign-in options are available:

Email verification code

When Email verification code is enabled, users receive a one-time code to their email address to sign in.

Warning

Expo does not support email links. You can request this feature on Clerk's roadmap.

When Email verification link is enabled, users receive an email with a link to sign in.

As a security measure, email links expire after 10 minutes to prevent the use of compromised or stale links.

Require the same device and browser

By default, the Require the same device and browser setting is enabled. This means that email links are required to be verified from the same device and browser on which the sign-up or sign-in was initiated. For example:

  • A user tries to sign in from their desktop browser.
  • They open the email link on their mobile phone to verify their email address.
  • The user's sign-in on the desktop browser gets an error, because the link was verified on a different device and browser.

Phone number (SMS verification code)

When Phone number (SMS verification code) is enabled, users receive a one-time code to their phone number to sign in.

SMS authentication is a premium feature and not available on the Free plan. Upgrade your plan to enable this feature.

SMS functionality is restricted to phone numbers from countries enabled on your SMS allowlist.

SMS allowlist

SMS functionality, including SMS OTPs, is restricted to phone numbers from countries that are enabled on your SMS allowlist. This can be useful for avoiding extraneous SMS fees from countries from which your app is not expected to attract traffic.

Every instance starts off with a default set of enabled SMS country tiers. To tailor it to your needs:

  1. In the Clerk Dashboard, navigate to the SMS page.
  2. Select the Settings tab.
  3. Enable or disable countries as needed.

If a country is disabled, then phone numbers starting with the corresponding country calling code:

  • Cannot receive OTPs and a request to receive an OTP will be rejected with an error
  • Cannot receive notifications for password or passkey modifications
  • Cannot be used upon sign-up
  • Cannot be added to an existing user profile

Password

When Password is enabled, users provide a password to sign in.

Disabling Password will only affect new users. Existing users will still be able to sign in with their existing password.

Passkeys

A passkey is a type of sign-in credential that requires one user action, but uses two authentication factors:

  1. A pin number or biometric data
  2. A physical device

Users can only create passkeys after signing up, so you'll need to enable another authentication strategy for the sign-up process. After signing in, users can create a passkey.

Passkey limitations

  • Passkeys are not currently available as an MFA option.
  • Not all devices and browsers are compatible with passkeys. Passkeys are built on WebAuthn technology and you should check the Browser Compatibility docs for an up-to-date list.
  • Passkey related APIs will not work with Expo.
  • Your users can have a max of 10 passkeys per account.

Domain restrictions for passkeys in development

Passkeys are tied to the domain they are created on and cannot be used across different domains. For example:

  • Passkeys created on localhost will only work on localhost.
  • Passkeys created on your Account Portal (e.g., your-app.accounts.dev) will only work on that domain.

To work around this in development, you can either:

  • Use Clerk's Components, Elements, or custom flows, instead of using Account Portal.
  • Create the passkey directly through Account Portal instead of your local application.

This issue does not affect production environments, as your Account Portal will be hosted on a subdomain of your main domain (e.g., accounts.your-domain.com), enabling passkeys to work seamlessly across your application.

Social connections (OAuth)

Clerk offers several social providers for use during sign-up and sign-in. This authentication option is appealing because users often don't need to enter additional contact information since the provider already has it.

Clerk's OAuth process is designed to be seamless. If an existing user attempts to sign up with a social provider, the system automatically switches to sign-in. Similarly, if a user tries to sign in with a social provider but doesn't have an account, Clerk will automatically create one.

Users can link multiple social providers to their account, depending on your application's setup. You can configure your application to use the Account Portal User Profile page, the prebuilt <UserProfile /> component, or build your own custom user interface using the Clerk API..

To enable social connections:

  1. In the Clerk Dashboard, navigate to the SSO connections page.
  2. Select the Add connection button, and select For all users.
  3. For development instances, simply select the social providers that you would like to enable. For production instances, you'll need to configure credentials for each social provider. See the social provider's dedicated guide to learn how to configure credentials.

Web3 authentication

Clerk provides Web3 authentication with either MetaMask, Coinbase Wallet, or OKX Wallet. As part of validating the accuracy of the returned Web3 account address, Clerk handles the signing of a message and verifying the signature. Because sign-in with Web3 uses the same abstraction as our other authentication factors, like passwords or email links, other Clerk features like multi-factor authentication and profile enrichment work for Web3 users out-of-the-box.

To enable Web3 authentication:

  1. In the Clerk Dashboard, navigate to the Web3 page.
  2. Enable your preferred Web3 provider.

Multi-factor authentication

Clerk supports multi-factor authentication (MFA), also known as two-factor authentication (2FA). If a user enables MFA for their account, they are required to complete a second verification step during sign-in. This enhances security by enforcing two different types of verification. Many websites offer this as an optional step, giving users control over their own security.

MFA is not available on the new application screen, but it can be enabled in the Clerk Dashboard.

  1. In the Clerk Dashboard, navigate to the Multi-factor page.
  2. Toggle on the MFA strategies you would like to enable.

The following MFA strategies are currently available:

  • SMS verification code
  • Authenticator application (also known as TOTP - Time-based One-time Password)
  • Backup codes

Enabling MFA allows users of your app to turn it on for their own accounts through their User Profile page. Enabling MFA does not automatically turn on MFA for all users.

If you're building a custom user interface instead of using the Account Portal or prebuilt components, you can use elements or the Clerk API to build a custom sign-in flow that allows users to sign in with MFA.

Reset a user's MFA

You can reset a user's MFA by deleting their MFA enrollments. This will remove all of their MFA methods and they will have to enroll in MFA again.

To reset a user's MFA:

  1. At the top of the Clerk Dashboard, select Users.
  2. Select the user from the list.
  3. Select the Reset MFA enrollments button.

Restrictions

Clerk provides a set of restriction options designed to provide you with enhanced control over who can gain access to your application. Restrictions can limit sign-ups or prevent accounts with specific identifiers, such as email addresses, phone numbers, and even entire domains, from accessing your application. Learn more about restrictions.

Feedback

What did you think of this content?
Edit this page on GitHub

Last updated on

OSZAR »