Block unverified login attempts

Using the enhanced security protection of our Attack Protection Policy, you can block login attempts from unverified users. Any user that attempts to log in with an email or mobile number identifier that hasn’t been confirmed is blocked.

Why is this helpful?

This feature helps to ensure that only users that have intended to sign up or register and have properly verified their correct details are allowed to log into your site. When an attempt is made and this feature is enabled, a login_unverified_identifier event type is emitted to inform you of the attempt.

block unverified flow

Users that attempt to log in with an unverified identifier, receive a message similar to the following:

Unverified identifier account. To login, please verify your identifier with the email or the SMS that you received.

— Error key: error.unverifiedLogin

Users that attempt to log in with an unapproved identifier, receive a message similar to the following:

You cannot authenticate using {0}

— Error key: error.invalidLoginType

Protect against unwanted logins

You can block login attempts from unverified users with a simple operation from your ReachFive Console. You can also specify which identifiers are even allowed to attempt a login in the first place.

Prerequisites

You must have access to the ReachFive Console.
You must have a Developer, Manager, or Administrator role.

Specify allowed identifiers

Go to Settings Attack protection policy Allowed identifiers.
Toggle which identifiers you want to be able to attempt to log in to your site. Those that are not enabled will no longer be able to attempt logins.
- Email
- Phone Number
- Custom identifier
Don’t forget to Save your input..

Block unverified logins

You can block unverified logins with this feature. There are two options:

Forbid unverified identifiers login: When enabled, it blocks unverified login attempts after the initial signup and login.

Forbid unverified identifiers login after signup: When enabled, it blocks unverified login attempts even at signup.

When Forbid unverified identifiers login after signup is enabled:

Signup endpoints do not issue tokens when identifiers are unverified:
The Core SDK signup method returns an AuthResult without an access token or redirect in this case.
The UI SDK showAuth method displays an overridable message (signup.awaiting.identifier.verification) telling users to verify their identifier.
- A new isIdentifierVerificationRequired field is included in the signupEvent callback to simplify flow handling.

Go to Settings Security Attack protection policy.
Enable the Forbid unverified identifiers login option by toggling the slider to green.
If desired, you can also enable the Forbid unverified identifiers login after signup option by toggling the slider to green.
Don’t forget to Save your input.