From 257b10232b45a07eea4f9504b9b9d51e8dfe57f2 Mon Sep 17 00:00:00 2001 From: Alexis Aguilar <98043211+alexisintech@users.noreply.github.com> Date: Fri, 31 Jan 2025 12:59:44 -0500 Subject: [PATCH] update explanation of require same device and browser --- .../configuration/sign-up-sign-in-options.mdx | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/docs/authentication/configuration/sign-up-sign-in-options.mdx b/docs/authentication/configuration/sign-up-sign-in-options.mdx index b1091f0c0f..8cb88f7e6a 100644 --- a/docs/authentication/configuration/sign-up-sign-in-options.mdx +++ b/docs/authentication/configuration/sign-up-sign-in-options.mdx @@ -121,11 +121,15 @@ If a country is disabled, then phone numbers starting with the corresponding cou When the **Email verification link** option is selected as an authentication strategy, users receive an email message with a link to complete the authentication process. Email links can be used to sign up new users, sign in existing ones, or allow existing users to verify newly entered email addresses to user profiles. -As a security measure, email links expire after 10 minutes prevent the use of compromised or stale links. +As a security measure, email links expire after 10 minutes to prevent the use of compromised or stale links. #### Require the same device and browser -By default, email links can be opened on any device. There's no restriction on where the link can be accessed. For example, a user could try to sign in from their desktop browser but open the link from their mobile phone. In this case, _the user's sign in would be completed on the desktop browser where the process was initiated, not the mobile phone where the link was verified_. As a result, the user would be signed in on their desktop, not their phone. +By default, the **Require the same device and browser** setting is enabled. This means that email links are required to be verified from the same device and browser on which the sign-up or sign-in was initiated. For example: + +- A user tries to sign in from their desktop browser. +- They open the email link on their mobile phone to verify their email address. +- The user's sign-in on the desktop browser **gets an error**, because the link was verified on a different device and browser. To configure this setting: