Sign-up and sign-in options

Clerk provides various options for setting up a sign-up and sign-in flow. When a new application is created, you will be presented with the following application configuration screen:

You can always make changes to your sign-up and sign-in options after your application has been created by visiting the Clerk Dashboard and selecting the User & Authentication dropdown in the navigation sidebar.

In addition to the application name set for your instance, there will be standard authentication options to choose from: identifiers, authentication strategies, verification methods, social login providers, Web3 authentication, multi-factor authentication, and sign-up restrictions. This guide will walk you through each of these options.

Identifiers

Identifiers are how your application recognizes an individual user. Clerk offers three primary identifiers to choose from:

• Email address
• Phone number
• Username

From the application configuration screen, you can select multiple identifiers if you like, but at least one is required to continue.

Email address is the most common primary identifier. During the sign-up process, a user must supply and verify their email address. They must keep an email address on their account at all times. However, the email address that was used for registration can be later changed from the user's profile page.

When phone number is selected as the identifier, a user will sign up with their phone number and receive an SMS text message with a code to verify their phone number. (Note: SMS authentication is a premium feature and is not available on the Free plan. Upgrade your plan to enable this feature.)

Choosing username as the identifier enables users to sign up without requiring personal contact information. A username should be from 4 to 64 characters in length and can contain alphanumeric characters, underscores (_), and dashes (-).

To update your identifiers after your application has been created:

1. Navigate to the Clerk Dashboard and select your application.
2. In the navigation sidebar, select User & Authentication > Email, Phone, Username.
3. In the Contact information section, you can select Email address and Phone number as identifiers. In the Username section, you can select Username as an identifier.

Authentication strategies

Authentication strategies are the methods that users can use to sign up and sign in to your application.

Clerk offers two kinds of authentication strategies: password and passwordless.

Choosing the password strategy requires users to set a password during the sign up process. Clerk offers out of the box protection against weak and compromised passwords and the only requirement enforced is that the password be a miminum of 8 characters. (Note: passwordless authentication is still available to users even if password strategy is selected.)

Choosing a passwordless strategy provides users with a more secure way to sign up and sign in to your application. They are also more convenient than passwords because they don't require users to remember a complex string of characters.

Passwordless authentication strategies include:

• Passkeys
• One-time password (OTP)
• Email link

To configure authentication strategies:

1. Navigate to the Clerk Dashboard and select your application.
2. In the navigation sidebar, select User & Authentication > Email, Phone, Username.
3. In the Authentication strategies section, toggle on the authentication strategies you would like to enable.

Passkeys

A passkey is a type of sign-in credential that requires one user action, but uses two authentication factors:

1. A pin number or biometric data
2. A physical device

Because passkeys use two authentication factors, they are the most secure passwordless authentication strategy.

Users can only create passkeys after they have signed up, which means you will need to enable another authentication strategy for the sign-up process. Once a user is signed in, they can create a passkey.

Manage user passkeys

The easiest way to allow your users to create and manage their passkeys is to use the prebuilt <UserProfile> component, which includes passkey management in the Security tab.

If you are building a custom user interface, check out the passkeys custom flow guide to learn how to build a custom passkey management flow using Clerk's API.

Passkey limitations

• Passkeys are not currently available as an MFA option.
• Not all devices and browsers are compatible with passkeys. Passkeys are built on WebAuthn technology and you should check the Browser Compatibility docs for an up-to-date list.
  • Passkeys are not officially supported in browsers on iOS devices.
• Your users can have a max of 10 passkeys per account.

Passkey behavior in development

Passkeys are associated with the domain they are created on, and cannot be used across domains.

For example, a passkey created in localhost will be associated with the localhost domain, and therefore, will not work with your app's hosted Account Portal or sign-in pages.

This will not be a problem for production instances, since the production Account Portal is a subdomain of your production app's domain.

One-time password (OTP)

When one of the OTP options are selected as an authentication strategy, users will receive a one-time code that they can use to complete the authentication process. The benefit of one-time codes is that they are more secure than passwords and can be used to verify a user's identity without needing to store a password in your database.

There are two one-time password (OTP), or one-time code, strategies to choose from:

• Email verification code
• SMS verification code

When email address is chosen as the identifier, Email verification code is set as the default authentication option.

(Note: SMS authentication is a premium feature and is not available on the Free plan. Upgrade your plan to enable this feature.)

Email link

When the Email verification link option is selected as an authentication strategy, users will receive an email message with a link that can be visited in order to complete the authentication process. Email links can be used to sign up new users, sign in existing ones, or allow existing users to verify newly entered email addresses to their profile. Email links work on any device. There's no constraint on where the link will be opened. For example, a user might try to sign in from their desktop browser, but open the link from their mobile phone.

Verification methods

Verification methods are the methods that users can use to verify their identifier during the sign-up process, or to verify a new identifier that they add to their profile.

Clerk offers three verification methods:

• Email verification link
• Email verification code
• SMS verification code

Each of these verification methods work in the same way as their authentication strategy counterparts, but are used to verify a user's identifier rather than authenticate a user. For example, when a user adds an email address to their profile, they can receive an Email verification link or Email verification code to verify the new email address.

To configure verification methods:

1. Navigate to the Clerk Dashboard and select your application.
2. In the navigation sidebar, select User & Authentication > Email, Phone, Username.
3. Select the settings cog icon next to the identifier, such as Email address or Phone number, to open the configuration settings.
4. Under the Verification methods section, toggle on the verification methods you would like to enable.
5. Select Continue to save your changes.

Social connections (OAuth)

Clerk offers a number of social login providers that can be used during sign up and sign in. What makes this authentication option appealing is that users often won't need to enter additional contact information since the provider already has it.

Clerk has designed the social login process to be as seamless as possible. If an existing user tries to sign up with a social provider, the social login process is smart enough to automatically convert the sign up process into a sign in flow. The reverse is also true: if a user signs in with a social provider, but doesn't have an account yet, Clerk will automatically create one for them.

Users are also able to link multiple social providers to their account depending on how you have set up your application. You can set up your application to use the Account Portal User Profile page, the prebuilt <UserProfile /> component, or you can build your own custom user interface using the Clerk API.

To enable social connections:

1. Navigate to the Clerk Dashboard and select your application.
2. In the navigation sidebar, select User & Authentication > Social connections.
3. For development instances, you can simply toggle on the social providers you would like to enable. For production instances, you will need to configure credentials for each social provider. Don't worry, there are detailed guides for each social provider to help you through the process.

Web3 authentication

Clerk provides Web3 authentication as an option with MetaMask. As part of validating the accuracy of the returned Web3 account address, Clerk handles the signing of a transaction and verifying the signature. Because sign-in with MetaMask uses the same abstraction as our other authentication factors, like passwords or email links, other Clerk features like multi-factor authentication and profile enrichment work for MetaMask users out-of-the-box.

To enable Web3 authentication:

1. Navigate to the Clerk Dashboard and select your application.
2. In the navigation sidebar, select User & Authentication > Social connections.
3. Toggle on the Web3 provider. Currently, Clerk supports MetaMask.

Multi-factor authentication

Clerk supports multi-factor authentication (MFA), often referred to as two-factor authentication or 2FA. By enabling MFA, you can encourage or require your users to perform a second verification check during sign-in. By enforcing two different types of verifications, you can drastically improve your user's security. Most websites make this step optional, empowering their users with their own security.

Although not available as an option in the initial new application screen, you can opt to turn on multi-factor authentication (MFA) in the Clerk Dashboard.

1. Navigate to the Clerk Dashboard and select your application.
2. In the navigation sidebar, select User & Authentication > Multi-factor.
3. Toggle on the MFA strategies you would like to enable.

Clerk currently offers the following MFA strategies:

• SMS verification code
• Authenticator application (also known as TOTP - Time-based One-time Password)
• Backup codes

Once MFA is turned on, registered users can turn on MFA for their own account through their User Profile page. However, if you are building a custom user interface, you can build a custom multi-factor sign-in flow that allows users to sign in with MFA.

Sign-up restrictions

Clerk provides a set of restriction options designed to provide you with enhanced control over who can gain access to your application. Through these restriction settings, you can limit sign-ups or prevent accounts with specific identifiers from accessing your application. These identifiers can be email addresses, phone numbers, and even entire domains. Learn more about restrictions in our detailed guide.

Authentication examples

Lets take a look at a few of the different authentication options and how they can be combined to fit your application's needs.

Allow only email address as an authentication option

Let's imagine that you want to your users to only sign up and sign in with their email via passwordless methods: by either clicking a link or entering a one-time code sent to their email.

Allow only phone number as an authentication option

Let's imagine that your application is going to be exclusively used by people on their phones. You want to collect the user's phone number as the identifier, and you want the user to sign in to your app by entering a one-time code sent via SMS to the user's device.

Allow only social connections and Web3 as authentication options

Let's imagine that you want your users to sign up and sign in only with social connections or with a Web3 account.