Sign-up and sign-in options
Clerk provides various options for setting up a sign-up and sign-in flow. When a new application is created, you will be presented with the following application configuration screen:
You can always make changes to your sign-up and sign-in options after your application has been created by visiting the Clerk Dashboard(opens in a new tab) and selecting the User & Authentication dropdown in the navigation sidebar.
In addition to the application name set for your instance, there will be standard authentication options to choose from: identifiers, authentication strategies, verification methods, social login providers, Web3 authentication, multi-factor authentication, and sign-up restrictions. This guide will walk you through each of these options.
Identifiers
Identifiers are how your application recognizes an individual user. Clerk offers three primary identifiers to choose from:
- Email address
- Phone number
- Username
From the application configuration screen, you can select multiple identifiers if you like, but at least one is required to continue.
Email address is the most common primary identifier. During the sign-up process, a user must supply and verify their email address. They must keep an email address on their account at all times. However, the email address that was used for registration can be later changed from the user's profile page.
When phone number is selected as the identifier, a user will sign up with their phone number and receive an SMS text message with a code to verify their phone number. (Note: SMS authentication is a premium feature and is not available on the Free plan. Upgrade your plan(opens in a new tab) to enable this feature.)
Choosing username as the identifier enables users to sign up without requiring personal contact information. A username should be from 4 to 64 characters in length and can contain alphanumeric characters, underscores (_), and dashes (-).
If you opt not to collect any contact information, you could choose Username and later turn it off in settings and only authenticate with an OAuth social provider.
To update your identifiers after your application has been created:
- Navigate to the Clerk Dashboard(opens in a new tab) and select your application.
- In the navigation sidebar, select User & Authentication > Email, Phone, Username.
- In the Contact information section, you can select Email address and Phone number as identifiers. In the Username section, you can select Username as an identifier.
Authentication strategies
Authentication strategies are the methods that users can use to sign up and sign in to your application.
Clerk offers two kinds of authentication strategies: password and passwordless.
Choosing the password strategy requires users to set a password during the sign up process. Clerk offers out of the box protection against weak and compromised passwords and the only requirement enforced is that the password be a miminum of 8 characters. (Note: passwordless authentication is still available to users even if password strategy is selected.)
There are two types of passwordless authentication strategies:
- One-time password (OTP)
- Email link
To configure authentication strategies:
- Navigate to the Clerk Dashboard(opens in a new tab) and select your application.
- In the navigation sidebar, select User & Authentication > Email, Phone, Username.
- In the Authentication strategies section, toggle on the authentication strategies you would like to enable.
One-time password (OTP)
When one of the OTP options are selected as an authentication strategy, users will receive a one-time code that they can use to complete the authentication process. The benefit of one-time codes is that they are more secure than passwords and can be used to verify a user's identity without needing to store a password in your database.
There are two one-time password (OTP), or one-time code, strategies to choose from:
- Email verification code
- SMS verification code
When email address is chosen as the identifier, Email verification code is set as the default authentication option.
(Note: SMS authentication is a premium feature and is not available on the Free plan. Upgrade your plan(opens in a new tab) to enable this feature.)
Email link
When the Email verification link option is selected as an authentication strategy, users will receive an email message with a link that can be visited in order to complete the authentication process. Email links can be used to sign up new users, sign in existing ones, or allow existing users to verify newly entered email addresses to their profile. Email links work on any device. There's no constraint on where the link will be opened. For example, a user might try to sign in from their desktop browser, but open the link from their mobile phone.
Verification methods
Verification methods are the methods that users can use to verify their identifier during the sign-up process, or to verify a new identifier that they add to their profile.
Clerk offers three verification methods:
- Email verification link
- Email verification code
- SMS verification code
Each of these verification methods work in the same way as their authentication strategy counterparts, but are used to verify a user's identifier rather than authenticate a user. For example, when a user adds an email address to their profile, they can receive an Email verification link or Email verification code to verify the new email address.
To configure verification methods:
- Navigate to the Clerk Dashboard(opens in a new tab) and select your application.
- In the navigation sidebar, select User & Authentication > Email, Phone, Username.
- Select the settings cog icon next to the identifier, such as Email address or Phone number, to open the configuration settings.
- Under the Verification methods section, toggle on the verification methods you would like to enable.
- Select Continue to save your changes.
Social connections (OAuth)
Clerk offers a number of social login providers that can be used during sign up and sign in. What makes this authentication option appealing is that users often won't need to enter additional contact information since the provider already has it.
Clerk has designed the social login process to be as seamless as possible. If an existing user tries to sign up with a social provider, the social login process is smart enough to automatically convert the sign up process into a sign in flow. The reverse is also true: if a user signs in with a social provider, but doesn't have an account yet, Clerk will automatically create one for them.
Users are also able to link multiple social providers to their account depending on how you have set up your application. You can set up your application to use the Account Portal User Profile page, the prebuilt <UserProfile />
component, or you can build your own custom user interface using the Clerk API.
To enable social connections:
- Navigate to the Clerk Dashboard(opens in a new tab) and select your application.
- In the navigation sidebar, select User & Authentication > Social connections.
- For development instances, you can simply toggle on the social providers you would like to enable. For production instances, you will need to configure credentials for each social provider. Don't worry, there are detailed guides for each social provider to help you through the process.
Web3 authentication
Clerk provides Web3 authentication as an option with MetaMask. As part of validating the accuracy of the returned Web3 account address, Clerk handles the signing of a transaction and verifying the signature. Because sign-in with MetaMask uses the same abstraction as our other authentication factors, like passwords or email links, other Clerk features like multi-factor authentication and profile enrichment work for MetaMask users out-of-the-box.
To enable Web3 authentication:
- Navigate to the Clerk Dashboard(opens in a new tab) and select your application.
- In the navigation sidebar, select User & Authentication > Social connections.
- Toggle on the Web3 provider. Currently, Clerk supports MetaMask.
Set up multi-factor authentication
Clerk supports multi-factor authentication (MFA), often referred to as two-factor authentication or 2FA. By enabling MFA, you can encourage or require your users to perform a second verification check during sign-in. By enforcing two different types of verifications, you can drastically improve your user's security. Most websites make this step optional, empowering their users with their own security.
Although not available as an option in the initial new application screen, you can opt to turn on multi-factor authentication (MFA) in the Clerk Dashboard.
- Navigate to the Clerk Dashboard(opens in a new tab) and select your application.
- In the navigation sidebar, select User & Authentication > Multi-factor.
- Toggle on the MFA strategies you would like to enable.
Clerk currently offers the following MFA strategies:
- SMS verification code
- Authenticator application (also known as TOTP - Time-based One-time Password)
- Backup codes
Once MFA is turned on, registered users can turn on MFA for their own account through their User Profile page. However, if you are building a custom user interface, you can build a custom multi-factor sign-in flow that allows users to sign in with MFA.
Sign-up restrictions
Clerk provides a set of restriction options designed to provide you with enhanced control over who can gain access to your application. Through these restriction settings, you can limit sign-ups or prevent accounts with specific identifiers from accessing your application. These identifiers can be email addresses, phone numbers, and even entire domains. Learn more about restrictions in our detailed guide.
Authentication examples
Lets take a look at a few of the different authentication options and how they can be combined to fit your application's needs.
Allow only email address as an authentication option
Let's imagine that you want to your users to only sign up and sign in with their email via passwordless methods: by either clicking a link or entering a one-time code sent to their email.
Enable email address as an identifier
Ensure that only Email address is enabled as an identifier.
- Navigate to the Clerk Dashboard(opens in a new tab) and select your application.
- In the navigation sidebar, select User & Authentication > Email, Phone, Username.
- Toggle on the Email address option. (Make sure the Phone number option and any social connections are toggled off.)
- Select Save changes in the top right corner.
Users can now sign up and sign in with their email.
Configure email address authentication and verification settings
- Select the gear symbol next to Email address to open up the configuration settings. A modal titled Email address should open.
- Toggle on every toggle and check every box.
With all of these options enabled, users will be:
- required to provide an email address on sign-up
- allowed to sign-in with their email address
- able to verify their email with an email link or one-time code sent to their email
Allow users to sign in with an email link or one-time code
On this same page in the Clerk Dashboard, scroll down to the Authentication strategies section and toggle on Email verification link and Email verification code. This will allow users to sign in with either a link or a code sent to their email.
Finished!
Now, when a user signs up for your application, they will be required to provide an email address. Then, Clerk will send a verification email link or one-time code to the user's email address. After the user verifies their email, they will be able to sign in with an email link or a one-time code sent to their email.
Allow only phone number as an authentication option
Phone number identifiers and SMS verification are Premium features that are only available on some plans. However, you can use these features in development instances for testing purposes. For more information, navigate to the Clerk Dashboard and go to Plan & Billing(opens in a new tab) in the sidebar menu.
Let's imagine that your application is going to be exclusively used by people on their phones. You want to collect the user's phone number as the identifier, and you want the user to sign in to your app by entering a one-time code sent via SMS to the user's device.
Enable phone number as an identifier
Ensure that only Phone number is enabled as an identifier.
- Navigate to the Clerk Dashboard(opens in a new tab) and select your application.
- In the navigation sidebar, select User & Authentication > Email, Phone, Username.
- Toggle on the Phone number option. (Make sure the Email address option and any social connections are toggled off.)
- Select Save changes in the top right corner.
Users can now sign up and sign in with their phone number.
Configure phone number authentication and verification settings
- Select the gear symbol next to Email address to open up the configuration settings. A modal titled Email address should open.
- Toggle on every toggle and check every box.
Because in this example, your application is mobile-first, you should have all of these options toggled on. With all of these options enabled, users will be:
- required to provide a phone number on sign-up
- allowed to sign-in with their phonen number
- able to verify their phone number with a code sent to their phone
Allow users to sign in with an SMS code
On the same page in the Clerk Dashboard, scroll down to the Authentication strategies section and toggle on SMS verification code. This will allow users to sign in with a code sent to their phone.
Finished!
Now, when a user signs up for your application, they will be required to provide a phone number. Then, Clerk will send a verification code to the user's phone number. After the user verifies their phone number, they will be able to sign in with a code sent to their phone.
Allow only social connections and Web3 as authentication options
Let's imagine that you want your users to sign up and sign in only with social connections or with a Web3 account.
Disable email and password as sign-in options
Users won't need an email or password, so you can turn those off.
- Navigate to the Clerk Dashboard(opens in a new tab) and select your application.
- In the navigation sidebar, select User & Authentication > Email, Phone, Username.
- Toggle off the Email address and Phone number options.
- Select Save changes in the top right corner.
Enable social connections as authentication options
- Navigate to the Clerk Dashboard(opens in a new tab) and select your application.
- In the navigation sidebar, select User & Authentication > Social connections.
- Toggle on social providers that will be used to authenticate your users, such as GitHub or Google.
Enable Web3 as a sign-in option
- Navigate to the Clerk Dashboard(opens in a new tab) and select your application.
- In the navigation sidebar, select User & Authentication > Web3.
- Toggle on the Web3 provider. Currently, Clerk supports MetaMask.
Finished!
Now, when a user signs up or signs in to your application, users can do so with the social provider(s) you selected, or with Metamask.
Last updated on April 3, 2024