Forem Creators and Builders 🌱


Posted on

Customer feedback for the email authentication

I enabled the email authentication type and disabled the remaining authentication types, expecting it to be user-friendly for everyone.

But only 1 out of 10 people is going through the sign up process hassle free and with out any support from us. (Observed for around 400 people, mostly non-technical).


  1. Signup process is very lengthy.. setting the password twice at signup, clicking on "confirm account link" in the email, again entering email and password to login, and remembering that password.
  2. Some people are confused and they keep entering user ID and password to login, instead of email id and password.
  3. Some people are suspecious to click on the "Confirm account link".

Suggested way for somewhat user-friendly email signup:

  1. User signs up with email id and other details.
  2. A simple 4 digit random OTP is sent to the email.
  3. Submitting that OTP on the website activates the user and signs in the user immediately.
  4. Whenever the user logs out and needs to re-login, OTP should be sent to the email id and entering that OTP should log the user in again.
  5. No need for the forgot password and remember password, etc.

Would like to know the developers' response to this user feedback. Thanks.

Top comments (5)

9comindia profile image
9comindia • Edited

Hi @ioscasey and @djuber

A short-term solution can be like:

The user clicking on the "confirm account" link should immediately be logged into his/her account automatically without the need for the user to enter the email id and password.

This would shorten the new user signup process and removes the user confusion in login. [some more users revealed that they tried to login with their gmail id and their Gmail Password to login even after the signup and confirmation because the login screen was asking for email and password :) ]

Would the automatic login based on the confirmation token be a minor change?

And which files in the source code, should I be looking into to understand or to modify..

djuber profile image
Daniel Uber • Edited

Hi @9comindia - if you're looking at the code for this, we use the devise ruby gem generally for user authentication, and the new user signup starts in the RegistrationsController (which extends a built in registrations controller from Devise).

The step to require a user who logged in with an email address to verify they control the email address step is triggered in this check, I think. Any oauth login does automatically log in - and if smtp were disabled (your site was unable to send mail and knew it) you would have automatic login with no email verification as well (that's what the linked check is doing) - the email address becomes only a "special format" username string at that point.

Changing the authentication/confirmation from a registration code (verified by following the emailed link) to a confirmation code or pin typed back in from an email probably takes a bit more work than making login automatic - you might search to find if someone had already implemented a pattern like that for Devise.

You could also take a look at how Devise::Confirmable works to see if there's an easy way to adapt it, it's outside of my competence to say much more about that.

9comindia profile image

Thank you very much @djuber for the quick response.

and if smtp were disabled (your site was unable to send mail and knew it) you would have automatic login with no email verification as well

I didn't understand the above quoted text.
Our site not sending the email was an issue long ago, and it was resolved.

If you are suggesting an easy way for automatic email verification by disabling SMTP.., would you please elaborate on that.. how exactly can we make this happen..

thanks again.

Thread Thread
djuber profile image
Daniel Uber

There's a method named smtp_enabled? which is defined as "smtp username and smtp password are present, or a sendgrid api key is set". This is required to send mail (either through SMTP or through sendgrid's api).

If you removed the settings for sending email, you could send no mail (at all, not just user signup confirmations), but because you can send no mail, users are not required to verify their email address and logins are automatic.

This lowers the friction for new users, but at the same time opens your forem up to any number of abusive bot behaviors (spam users and postings) and disables any notifications (which would still show in user preferences, and would probably generate more support problems for you since users asked for notifications and never received them).

I wouldn't recommend disabling SMTP just to smooth the sign up process, mostly because of the additional confusion that would result from the broken functionality, but that's what the code says.

ioscasey profile image
Casey 💎

Hey there!

Thanks for this feedback! I totally understand the struggle that you're going through, as well as your users. We do have the option for OAuth access, like Twitter and Apple, would those options work for your Forem in the short-term?

On topic, I do like the OTP idea :)