I’m not sure why someone would have to onboard again? Other systems I’ve worked on create the account but set a flag next to it: email verified - yes/no.
When the user logs in, the flag is checked. If the value is no, there are various things you can do:
Block access to the service
‘You can’t log in because your email address has not been verified. Please verify it now.’
Give access to the service X times before you block
‘Your email address has not been verified. You can access this service X more times before you have to verify your address’
Give access to the service but limit its features
‘Your email address has not been verified. You can access this service but only [do A, B and C]. You can’t [do X, Y and Z] until you verify your address.’
Give access to the service and just display a reminder message
‘Your email address has not been verified. Please verify it now.’
All of the above should provide links to resend the verification email and get further help.
One thing to be aware of is that email verification does not verify identity. It just verifies that person X entered their email address correctly and actually owns that address. Email verification is most important for services that:
- are likely to attract lots of false registrations from bots and spammers
- need to send confidential messages to their customers by email
- provide password reset links by email
These services usually require email verification very early in the account setup process.
The question for your service is how critical is it that you’ve got a correct, validated email address before you allow access? That’s what email verification guarantees.