The user requests during account setup or password recovery an access token to set its password. The email with the access token received only after a longer delay (e.g. 30 min).
NEXT sends access token emails within seconds after they are requested. The delay is in most cases caused by slow email scanners (e.g. Proofpoint) ran by corporate IT.
Step 1: Is the issue caused by a corporate email address?
[In case you can log into NEXT] First, verify that the delay is indeed caused by your corporate email address. For this, change your email address in NEXT to a public email address like ...@gmail.com. After a password recovery, the NEXT access token emails should show up in your Gmail account within seconds.
In case you can't log into, you might ask one of your NEXT administrators to change your email address to a non-corporate email address.
Step 2: Does the corporate email scanner delay the emails?
Next, analyze if the corporate email scanner really delays the emails. Therefore, set your email address in NEXT back to your corporate email address. Then, open the internet message headers of the delayed email sent to your corporate email address (explanation for Gmail, Outlook).
Now, you check the timestamps in the internet message headers. In the following example, there was a 36min delay due to email scanning (NEXT sent the email 8:50 GMT, email scanner finished processing at 9:26 GMT):
Received: from pps.reinject (m0062140.ppops.net [127.0.0.1]) by pps.reinject
(184.108.40.206/220.127.116.11) with SMTP id 00C2QAHD004213 for
firstname.lastname@example.org; Fri, 10 Jan 2020 09:26:10 GMT
Received: from a48-108.smtp-out.amazonses.com (a48-108.smtp-out.amazonses.com
[18.104.22.168]) by -00121503.pphosted.com with ESMTP id 4xbejs2c24-3
(version=TLSv1.2 cipher=ECDHE-RSA-AES128-SHA256 bits=128 verify=NO) for
email@example.com; Fri, 10 Jan 2020 08:50:27 +0000
You'll have to reach out to your IT department and ask them to investigate why the email security check takes so long. Please reach out to NEXT Support if we can help your IT with any further information.
Why are the access tokens invalid?
Following security best practices, all formerly sent tokens are invalidated whenever you request a new token. This might lead to issues when token emails are delayed.
A possible scenario:
User request an access token e.g. via password recovery
User doesn't receive the token email within a couple of minutes because it's delayed, and therefore triggers again the password recovery
User finally receives the token from the first password recovery
NEXT will reject the token because it was invalidated by the second password recovery (which is still not in the user's email inbox due to the delay)
To avoid this scenario, wait until the access token arrives without requesting another token in the meantime.