Principality of KaharagiaDesign System

Confirm an email address

Use this pattern when you need to verify that a user has access to an email address.

When to use this pattern

Confirm email addresses when:

  • the email will be used for important correspondence
  • account security depends on email access
  • you need to prevent fraudulent registrations
  • legal or regulatory requirements mandate verification

How it works

There are two main approaches:

  1. Email link - Send a link that users click to verify
  2. Security code - Send a code that users enter on your site

Step 1: Tell users to check their email

Check your email

We've sent a confirmation email to:

sarah.johnson@example.com

Click the link in the email to confirm your email address.

The email might take a few minutes to arrive. Check your spam folder if you cannot find it.

Did not receive the email?

Send the email again

Use a different email address

Step 2: Confirmation page (after clicking the link)

Email address confirmed

Your email address has been verified.

You can now continue with your application.

Using a security code

For some services, a security code provides better security or is easier for users to complete.

Enter security code

Enter security code

We've sent a 6-digit code to sarah.johnson@example.com

Enter the 6-digit code from the email

Send a new code

<input
  class="form-input form-input-width-5"
  id="security-code"
  type="text"
  inputmode="numeric"
  pattern="[0-9]*"
  autocomplete="one-time-code"
>

Email content

Your confirmation email should:

  • clearly state the service name
  • explain why the user is receiving it
  • include a prominent link or code
  • state how long the link/code is valid
  • tell users what to do if they did not request this

Security considerations

  • Links and codes should expire (typically 24 hours for links, 10-15 minutes for codes)
  • Limit the number of resend attempts
  • Use secure, random tokens
  • Rate limit verification attempts
  • Log verification attempts for security monitoring

Error messages

If code is empty
"Enter the security code"
If code is incorrect
"The security code is not correct. Check the code and try again."
If code has expired
"The security code has expired. We've sent you a new one."
If link has expired
"This link has expired. Request a new confirmation email."

Accessibility

  • Use inputmode="numeric" for numeric codes
  • Use autocomplete="one-time-code" to help autofill on mobile
  • Provide clear error messages
  • Offer alternatives if email delivery fails