Sign-up and sign-in options

Clerk provides various options for setting up a sign-up and sign-in flow for your application, such as identifiers and authentication strategies. This guide will walk you through each of these options.

You can always make changes to your authentication options after your application has been created by visiting the Clerk Dashboard and selecting the User & Authentication dropdown in the navigation sidebar.

Identifiers

Identifiers are how your application recognizes an individual user. Clerk offers three primary identifiers to choose from:

• Email address
• Phone number
• Username

From the application configuration screen, you can select multiple identifiers if you like, but at least one is required to continue.

Email address is the most common primary identifier. During the sign-up process, a user must supply and verify their email address. They must keep an email address on their account at all times. However, the email address that was used for registration can be later changed from the user's profile page.

When phone number is selected as the identifier, a user will sign up with their phone number and receive an SMS text message with a code to verify their phone number. SMS functionality is restricted to phone numbers from countries that are enabled on your SMS allowlist.

Choosing username as the identifier enables users to sign up without requiring personal contact information. A username should be from 4 to 64 characters in length and can contain alphanumeric characters, underscores (_), and dashes (-).

To update your identifiers after your application has been created:

1. Navigate to the Clerk Dashboard and select your application.
2. In the navigation sidebar, select User & Authentication > Email, Phone, Username.
3. In the Contact information section, you can select Email address and Phone number as identifiers. In the Username section, you can select Username as an identifier.

Authentication strategies

Authentication strategies are the methods that users can use to sign up and sign in to your application.

Clerk offers two kinds of authentication strategies: password and passwordless.

Choosing the password strategy requires users to set a password during the sign up process. Clerk offers out of the box protection against weak and compromised passwords and the only requirement enforced is that the password be a miminum of 8 characters. (Note: passwordless authentication is still available to users even if password strategy is selected.)

Choosing a passwordless strategy provides users with a more secure way to sign up and sign in to your application. They are also more convenient than passwords because they don't require users to remember a complex string of characters.

Passwordless authentication strategies include:

• Passkeys
• One-time password (OTP)
• Email link

To configure authentication strategies:

1. Navigate to the Clerk Dashboard and select your application.
2. In the navigation sidebar, select User & Authentication > Email, Phone, Username.
3. In the Authentication strategies section, toggle on the authentication strategies you would like to enable.

Passkeys

A passkey is a type of sign-in credential that requires one user action, but uses two authentication factors:

1. A pin number or biometric data
2. A physical device

Because passkeys use two authentication factors, they are the most secure passwordless authentication strategy.

Users can only create passkeys after they have signed up, which means you will need to enable another authentication strategy for the sign-up process. Once a user is signed in, they can create a passkey.

Manage user passkeys

The easiest way to allow your users to create and manage their passkeys is to use the prebuilt <UserProfile> component, which includes passkey management in the Security tab.

If you are building a custom user interface, check out the passkeys custom flow guide to learn how to build a custom passkey management flow using Clerk's API.

Passkey limitations

• Passkeys are not currently available as an MFA option.
• Not all devices and browsers are compatible with passkeys. Passkeys are built on WebAuthn technology and you should check the Browser Compatibility docs for an up-to-date list.
• Passkey related APIs will not work with Expo.
• Your users can have a max of 10 passkeys per account.

Passkey behavior in development

Passkeys are associated with the domain they are created on, and cannot be used across domains.

For example, a passkey created in localhost will be associated with the localhost domain, and therefore, will not work with your app's hosted Account Portal or sign-in pages.

This will not be a problem for production instances, since the production Account Portal is a subdomain of your production app's domain.

One-time password (OTP)

When one of the OTP options are selected as an authentication strategy, users will receive a one-time code that they can use to complete the authentication process. The benefit of one-time codes is that they are more secure than passwords and can be used to verify a user's identity without needing to store a password in your database.

There are two one-time password (OTP), or one-time code, strategies to choose from:

• Email verification code
• SMS verification code

When email address is chosen as the identifier, Email verification code is set as the default authentication option.

SMS allowlist

SMS functionality, including SMS OTPs, is restricted to phone numbers from countries that are enabled on your SMS allowlist. This can be useful for avoiding extraneous SMS fees from countries from which your app is not expected to attract traffic.

Every instance starts off with a default set of enabled SMS country tiers. To tailor it to your needs:

1. Navigate to the Clerk Dashboard.
2. In the navigation sidebar, select Customization > SMS.
3. Select the Settings tab.
4. Enable or disable countries as needed.

If a country is disabled, then phone numbers starting with the corresponding country calling code:

• Cannot receive OTPs and a request to receive an OTP will be rejected with an error
• Cannot receive notifications for password or passkey modifications
• Cannot be used upon sign-up
• Cannot be added to an existing user profile

Email link

When the Email verification link option is selected as an authentication strategy, users will receive an email message with a link that can be visited in order to complete the authentication process. Email links can be used to sign up new users, sign in existing ones, or allow existing users to verify newly entered email addresses to their profile. Email links work on any device. There's no constraint on where the link will be opened. For example, a user might try to sign in from their desktop browser, but open the link from their mobile phone.

Verification methods

Verification methods are the methods that users can use to verify their identifier during the sign-up process, or to verify a new identifier that they add to their profile.

Clerk offers three verification methods:

• Email verification link
• Email verification code
• SMS verification code

Each of these verification methods work in the same way as their authentication strategy counterparts, but are used to verify a user's identifier rather than authenticate a user. For example, when a user adds an email address to their profile, they can receive an Email verification link or Email verification code to verify the new email address.

To configure verification methods:

1. Navigate to the Clerk Dashboard and select your application.
2. In the navigation sidebar, select User & Authentication > Email, Phone, Username.
3. Select the settings cog icon next to the identifier, such as Email address or Phone number, to open the configuration settings.
4. Under the Verification methods section, toggle on the verification methods you would like to enable.
5. Select Continue to save your changes.

Social connections (OAuth)

Clerk offers a number of social login providers that can be used during sign up and sign in. What makes this authentication option appealing is that users often won't need to enter additional contact information since the provider already has it.

Clerk has designed the social login process to be as seamless as possible. If an existing user tries to sign up with a social provider, the social login process is smart enough to automatically convert the sign up process into a sign in flow. The reverse is also true: if a user signs in with a social provider, but doesn't have an account yet, Clerk will automatically create one for them.

Users are also able to link multiple social providers to their account depending on how you have set up your application. You can set up your application to use the Account Portal User Profile page, the prebuilt <UserProfile /> component, or you can build your own custom user interface using the Clerk API.

To enable social connections:

1. Navigate to the Clerk Dashboard and select your application.
2. In the navigation sidebar, select User & Authentication > Social connections.
3. For development instances, you can simply toggle on the social providers you would like to enable. For production instances, you will need to configure credentials for each social provider. Don't worry, there are detailed guides for each social provider to help you through the process.

Web3 authentication

Clerk provides Web3 authentication as an option with MetaMask. As part of validating the accuracy of the returned Web3 account address, Clerk handles the signing of a transaction and verifying the signature. Because sign-in with MetaMask uses the same abstraction as our other authentication factors, like passwords or email links, other Clerk features like multi-factor authentication and profile enrichment work for MetaMask users out-of-the-box.

To enable Web3 authentication:

1. Navigate to the Clerk Dashboard and select your application.
2. In the navigation sidebar, select User & Authentication > Social connections.
3. Toggle on the Web3 provider. Currently, Clerk supports MetaMask.

Multi-factor authentication

Clerk supports multi-factor authentication (MFA), often referred to as two-factor authentication or 2FA. By enabling MFA, you can encourage your users to perform a second verification check during sign-in. By enforcing two different types of verifications, you can drastically improve your user's security. Most websites make this step optional, empowering their users with their own security.

Although not available as an option in the initial new application screen, you can opt to turn on multi-factor authentication (MFA) in the Clerk Dashboard.

1. Navigate to the Clerk Dashboard and select your application.
2. In the navigation sidebar, select User & Authentication > Multi-factor.
3. Toggle on the MFA strategies you would like to enable.

Clerk currently offers the following MFA strategies:

• SMS verification code
• Authenticator application (also known as TOTP - Time-based One-time Password)
• Backup codes

Enabling MFA allows users of your app to turn on MFA for their own account through their User Profile page. Enabling MFA does not automatically turn on MFA for all users.

If you are building a custom user interface instead of using Clerk's Account Portal or prebuilt components, you can use Clerk elements or use Clerk's API to build a custom sign-in flow that allows users to sign in with MFA.

Sign-up restrictions

Clerk provides a set of restriction options designed to provide you with enhanced control over who can gain access to your application. Through these restriction settings, you can limit sign-ups or prevent accounts with specific identifiers from accessing your application. These identifiers can be email addresses, phone numbers, and even entire domains. Learn more about restrictions in our detailed guide.