In our last post we wrote about the notifications that power product-led growth, and how to help your users discover value once they're in your product.
In this post, we'll cover how to help them into your product in the first place.
This will be a two-part series. Here in part one we cover the basics of authentication flows (invite emails, forgotten passwords, magic links) and the role that notifications play within them. In part two, we cover enterprise-ready authentication (and user management) and its notifications, so you can ensure you're ready to handle larger customers.
Let's get into it.
Three notifications to power basic authentication
Your marketing team has pulled it off and a user is on your site. They like what they see, and they've signed up for your product. What happens next?
The welcome notification
The first step is an obvious one: a welcome email. These are a great way to let new users know what resources they should take a look at to get the most out of your product.
If you have an onboarding flow in place, best practice is to wait for the user to interact with the onboarding flow (and the product) before sending an email. In some cases, if the user has interacted with the parts of your product that you'd be calling out in your welcome email, you might just cancel the notification altogether to spare their inbox.
Welcome emails are straightforward notifications to send and can be handled by most marketing automation tools, but we like to keep them in the same system as the rest of our product notifications. This means we can handle scenarios such as the one mentioned above, where welcome emails are sent conditionally based on product events. It also helps us keep consistent branding between our welcome emails and the other notifications a user receives from our product.
The reset password notification
Now that you have users logging into your product, the next thing to put in place is a password reset flow. (This assumes you're using password-based authentication. More on this in a moment.)
Some of your users will forget their password. It's important to have a reset password flow in place from day one to address this case and give users a frictionless path back into your product.
Notifications play a simple role in this process. You give your user an affordance to reset their password from somewhere within your login flow and send them an email notification with a "Reset password" affordance.
Of course, you could bypass this notification altogether by using passwordless authentication, which is what we ended up doing at Knock.
The magic link notification
We started with password-based authentication with our first few customers at Knock but soon decided to move to magic link authentication.
A couple reasons why:
- Your users don't need to remember (or manage) a password for your product.
- If your users are managed by Google Workspace or another identity provider, passwordless authentication helps your security posture by defaulting to the security controls of your customer's identity provider.
If you're an early startup with a lot of product to build, there's an added bonus with passwordless authentication in that you won't need to build the reset password flows that come with managing passwords on behalf of your users.
We used WorkOS to support our magic link authentication flow and then powered our magic link emails with Knock. If you're a Knock customer, you can check out this pre-built template to add magic link notifications into your product in a few minutes. Here's an example of the magic link emails we send with Knock today.
As I mentioned earlier, using passwordless authentication means you're defaulting to the two-factor authentication rules configured in the user's identity provider. Nowadays even the earliest startups are being built with security in mind from day one, and that means using two-factor authentication (2FA) across all of the vendors they use.
If you're one of those vendors (as you hope to be!) you'll need to ensure that any users within the customer's organization log in with 2FA. You can do that by building 2FA yourself, or by using passwordless authentication, which effectively defers authentication to the user's identity service, where the customer can manage 2FA.
This works well in cases where your customers use these identity providers (such as Google Workspace or Okta,) but in cases where they don't, you'll need to support two-factor authentication (and the enterprise management features that come with it) within your own product.
We'll get into two-factor authentication and other enterprise-ready features in part two of this post next week.
Powering authentication notifications with Knock
If you're just getting started with your next project and want to support authentication quickly, or are thinking about changing your sign up flow to include magic links, you should try Knock.
We've also created a set of common notification templates related to auth (magic link, invite emails, and so on) that you can copy into your Knock account and have working in minutes.
Have questions or thoughts about authentication and notifications? Noticed something we missed? Give us a shout at firstname.lastname@example.org.