Docs

Sign-up and sign-in options

Clerk provides multiple options for configuring a sign-up and sign-in flow for your application, such as identifiers and authentication strategies. This guide will walk you through each option.

You can modify your authentication options after your application has been created by navigating to the Clerk Dashboard and selecting any of the options under User & Authentication.

Identifiers

Identifiers are how your application recognizes an individual user. There are three primary identifiers:

  • Email address
  • Phone number
  • Username

In the application configuration screen, you can select multiple identifiers, but at least one is required.

Email address is the most common primary identifier. When it is the only enabled identifier, users are required to supply an email address during sign-up and keep one on their account at all times. The email address that was supplied during sign-up can be later changed from the user's profile page.

When phone number is selected as the identifier, a user can sign up with their phone number and receive a code via SMS to verify it. SMS functionality is restricted to phone numbers from countries enabled on your SMS allowlist.

Note

SMS authentication is a premium feature and not available on the Free plan. Upgrade your plan to enable this feature.

Choosing username as the identifier enables users to sign up without requiring personal contact information. A username should be from 4 to 64 characters in length and can contain alphanumeric characters, underscores (_), and dashes (-).

Note

If you choose not to collect any contact information, you can enable Username authentication and later disable it in settings, opting to authenticate only with a social provider.

To update your identifiers after your application has been created:

  1. In the Clerk Dashboard, navigate to the Email, phone, username page.
  2. In the Contact information section, you can select Email address and Phone number as identifiers. In the Username section, you can select Username as an identifier.

Authentication strategies

Authentication strategies are methods that users can use to sign up and sign in to your application.

There are two kinds of authentication strategies: password and passwordless.

Choosing the password strategy requires users to set a password during the sign up process. Passwords are required to be at least 8 characters long, and have built-in protection against weak and compromised passwords.

Note

Passwordless authentication remains available to users, even if the password strategy is enabled.

The passwordless strategy provides a more secure and convenient sign-in method, as users don't need to remember complex passwords.

Passwordless authentication strategies include:

To configure authentication strategies:

  1. In the Clerk Dashboard, navigate to the Email, phone, username page.
  2. In the Authentication strategies section, toggle on the authentication strategies you would like to enable.

Passkeys

A passkey is a type of sign-in credential that requires one user action, but uses two authentication factors:

  1. A pin number or biometric data
  2. A physical device

Passkeys are the most secure passwordless strategy because they use two factors.

Users can only create passkeys after signing up, so you'll need to enable another authentication strategy for the sign-up process. After signing in, users can create a passkey.

Manage user passkeys

The easiest way to allow your users to create and manage their passkeys is to use the prebuilt <UserProfile> component, which includes passkey management in the Security tab.

If you're building a custom user interface, refer to the passkeys custom flow guide to learn how to create a custom passkey management flow using the Clerk API.

Passkey limitations

  • Passkeys are not currently available as an MFA option.
  • Not all devices and browsers are compatible with passkeys. Passkeys are built on WebAuthn technology and you should check the Browser Compatibility docs for an up-to-date list.
  • Passkey related APIs will not work with Expo.
  • Your users can have a max of 10 passkeys per account.

Passkey behavior in development

Passkeys are associated with the domain they are created on, and cannot be used across domains.

For example, a passkey created in localhost will be associated with the localhost domain, and therefore, will not work with your app's hosted Account Portal or sign-in pages.

This won't affect production instances, as the production Account Portal is a subdomain of your app's domain.

One-time password (OTP)

When one of the OTP options is selected as an authentication strategy, users receive a one-time code to complete the sign-in process. OTPs are more secure than passwords, as they allow user verification without storing passwords in your database.

There are two one-time password (OTP), or one-time code, strategies to choose from:

  • Email verification code
  • SMS verification code

When email address is chosen as the identifier, Email verification code is set as the default authentication option.

Note

SMS authentication is a premium feature and is not available on the Free plan. Upgrade your plan to enable this feature.

SMS allowlist

SMS functionality, including SMS OTPs, is restricted to phone numbers from countries that are enabled on your SMS allowlist. This can be useful for avoiding extraneous SMS fees from countries from which your app is not expected to attract traffic.

Every instance starts off with a default set of enabled SMS country tiers. To tailor it to your needs:

  1. In the Clerk Dashboard, navigate to the SMS page.
  2. Select the Settings tab.
  3. Enable or disable countries as needed.

If a country is disabled, then phone numbers starting with the corresponding country calling code:

  • Cannot receive OTPs and a request to receive an OTP will be rejected with an error
  • Cannot receive notifications for password or passkey modifications
  • Cannot be used upon sign-up
  • Cannot be added to an existing user profile

When the Email verification link option is selected as an authentication strategy, users receive an email with a link to complete the sign-in process. Email links can be used to sign up new users, sign in existing ones, or allow existing users to verify newly entered email addresses to their profile. Email links work on any device. There's no constraint on where the link can be opened. For example, a user might try to sign in from their desktop browser, but open the link from their mobile phone.

Verification methods

Verification methods are the methods that users can use to verify their identifier during the sign-up process, or to verify a new identifier that they add to their profile.

Clerk offers three verification methods:

  • Email verification link
  • Email verification code
  • SMS verification code

These methods work similarly to their authentication strategy counterparts but are used for verifying identifiers rather than authentication. For example, when a user adds an email address to their profile, they can receive an Email verification link or Email verification code to verify the new email address.

To configure verification methods:

  1. In the Clerk Dashboard, navigate to the Email, phone, username page.
  2. Select the settings icon next to the identifier, such as Email address or Phone number, to open the configuration settings.
  3. Under the Verification methods section, toggle on the verification methods you would like to enable.
  4. Select Continue to save your changes.

Social connections (OAuth)

Clerk offers several social providers for use during sign-up and sign-in. This authentication option is appealing because users often don't need to enter additional contact information since the provider already has it.

Clerk's OAuth process is designed to be seamless. If an existing user attempts to sign up with a social provider, the system automatically switches to sign-in. Similarly, if a user tries to sign in with a social provider but doesn't have an account, Clerk will automatically create one.

Users can link multiple social providers to their account, depending on your application's setup. You can configure your application to use the Account Portal User Profile page, the prebuilt <UserProfile /> component, or build your own custom user interface using the Clerk API..

To enable social connections:

  1. In the Clerk Dashboard, navigate to the SSO connections page.
  2. Select the Add connection button, and select For all users.
  3. For development instances, simply select the social providers that you would like to enable. For production instances, you'll need to configure credentials for each social provider. See the social provider's dedicated guide to learn how to configure credentials.

Web3 authentication

Clerk provides Web3 authentication with either MetaMask, Coinbase Wallet or OKX Wallet. As part of validating the accuracy of the returned Web3 account address, Clerk handles the signing of a message and verifying the signature. Because sign-in with Web3 uses the same abstraction as our other authentication factors, like passwords or email links, other Clerk features like multi-factor authentication and profile enrichment work for Web3 users out-of-the-box.

To enable Web3 authentication:

  1. In the Clerk Dashboard, navigate to the Web3 page.
  2. Enable your preferred Web3 provider.

Multi-factor authentication

Clerk supports multi-factor authentication (MFA), also known as two-factor authentication (2FA). If a user enables MFA for their account, they are required to complete a second verification step during sign-in. This enhances security by enforcing two different types of verification. Many websites offer this as an optional step, giving users control over their own security.

MFA is not available on the new application screen, but it can be enabled in the Clerk Dashboard.

  1. In the Clerk Dashboard, navigate to the Multi-factor page.
  2. Toggle on the MFA strategies you would like to enable.

The following MFA strategies are currently available:

  • SMS verification code
  • Authenticator application (also known as TOTP - Time-based One-time Password)
  • Backup codes

Enabling MFA allows users of your app to turn it on for their own accounts through their User Profile page. Enabling MFA does not automatically turn on MFA for all users.

If you're building a custom user interface instead of using the Account Portal or prebuilt components, you can use elements or the Clerk API to build a custom sign-in flow that allows users to sign in with MFA.

Reset a user's MFA

You can reset a user's MFA by deleting their MFA enrollments. This will remove all of their MFA methods and they will have to enroll in MFA again.

To reset a user's MFA:

  1. At the top of the Clerk Dashboard, select Users.
  2. Select the user from the list.
  3. Select the Reset MFA enrollments button.

Restrictions

Clerk provides a set of restriction options designed to provide you with enhanced control over who can gain access to your application. Restrictions can limit sign-ups or prevent accounts with specific identifiers, such as email addresses, phone numbers, and even entire domains, from accessing your application. Learn more about restrictions.

Feedback

What did you think of this content?

Last updated on