Can't crack the "resend confirmation email" enigma!


Hello folks,

To make it short: I’m designing a new onboarding process for a financial service. The onboarding requires quite a lot of steps to reach the dashboard. I think we’ve done quite a good job so far in not making it overwhelming.

The problem is that if for some reason, at the end of the process the person hasn’t received the email verification, then we’d need to make that person do the whole onboarding again? Don’t feel like providing that person’s details (such as date of birth or other) to check if that person really is the person claiming to be, don’t think this method is very secure.

  1. Don’t want person to verify email at the beginning of onboard to prevent distraction
  2. Would like to have the verify email step right before logging in to the app

Any suggestions?

Thanks in advance!


I’m not sure why someone would have to onboard again? Other systems I’ve worked on create the account but set a flag next to it: email verified - yes/no.

When the user logs in, the flag is checked. If the value is no, there are various things you can do:

  1. Block access to the service
    ‘You can’t log in because your email address has not been verified. Please verify it now.’

  2. Give access to the service X times before you block
    ‘Your email address has not been verified. You can access this service X more times before you have to verify your address’

  3. Give access to the service but limit its features
    ‘Your email address has not been verified. You can access this service but only [do A, B and C]. You can’t [do X, Y and Z] until you verify your address.’

  4. Give access to the service and just display a reminder message
    ‘Your email address has not been verified. Please verify it now.’

All of the above should provide links to resend the verification email and get further help.

One thing to be aware of is that email verification does not verify identity. It just verifies that person X entered their email address correctly and actually owns that address. Email verification is most important for services that:

  • are likely to attract lots of false registrations from bots and spammers
  • need to send confidential messages to their customers by email
  • provide password reset links by email

These services usually require email verification very early in the account setup process.

The question for your service is how critical is it that you’ve got a correct, validated email address before you allow access? That’s what email verification guarantees.


@michael_h thanks a lot for your complete and structured answer! :slight_smile: It all makes sense!

1 Like