What is the best way to implement user account activation?

Question

What is best practice for the android/ios app with following scenario:

Client company sends user's emails/numbers to us. We create accounts for users with sent data. Each user installs app, logs in with email and -> at this point he/she should prove that he/she is the owner of the email used for registration..what is the best way to implement this? Is sending mail with some token code (which user then needs to paste into our app) good approach? Are there better ways?

Goal is to achieve authentication of user that has installed the app, whith minimal effort both for user and the client company.

Answer 1

If you need to just activate account the solution from James Lambert will be good enough.

But, as I understood, you want to identify user of the app by email. And, as I also understood, another company collects all user's data (including email which can be any email, not just google account in the user's phone) and sending it to you, but this data doesn't contains password or anything else that will authenticate this user.

IMO you can do such authentication in the app:

1. User in app enters his email and press "next".
2. App make request to your website with its email.
3. Your website send email with one-time pin-code
4. User enters this pin-code in the app (do not use complex tokens which user need to copy-paste, it's just another barrier for non-experienced user)
5. App communicates with website, which checks the pin-code and generates shared secret key, then both saving this key, which will be used when user launch the app next time.

Upd: Step 5 may differs a lot depending on purposes of the authentication. My variant can be used for simple user tracking, but it definitely not applicable for financial apps or any other apps which operates with sensitive data (because of duplication issue).