Protect email link sign-ins and sign-ups

Clerk provides an additional setting to improve security for email link sign-ins and sign-ups. When this setting is enabled, only email links opened on the same device and browser that a sign-in or sign-up was initiated on will successfully authenticate the user.

Enabling this protection means that the following scenario cannot happen:

1. A malicious actor knows the email of a user and requests an email link to sign-in or sign-up.
2. The user opens the email and visits the link, or the user's email provider follows links in emails for phishing or spam protection.
3. The malicious actor is able to gain access to the user's account because the email link has been opened successfully.

Disabling this protection means that your users are vulnerable to the scenario above, but they will be able to sign-in or sign-up with email link across devices and browsers. For example, initiating an email link sign in on a laptop and then opening the email link on a phone to sign in successfully.

With same device and browser protection on, users will see the following warning if an email link for sign-in or sign-up was opened on a different device or browser:

To configure this security setting, navigate to the Clerk Dashboard and in the navigation sidebar, select Email, Phone, Username. This protection can be enabled for sign-ins and sign-ups in two ways.

Contact information section:

1. In the Contact information section, next to Email address, select the settings icon.
2. Under the Email verification link checkbox, ensure Require the same device and browser is enabled.

Authentication strategies section:

1. In the Authentication strategies section, next to Email verification link, select the settings icon.
2. Ensure Require the same device and browser is checked.