Sarah checks her inbox. An email from Zetta HRM arrives with the subject "You're invited to Zetta HRM". It contains a six-digit OTP and a link to the account verification page.
She clicks the link, enters the OTP, and is prompted to set a password. She chooses a strong password, confirms it, and is automatically logged in.
| Failure | What the user sees | What happens next |
|---|---|---|
| Wrong OTP | "Invalid OTP" | User retries (limited attempts) |
| OTP expired | "OTP expired" | User requests a new one via resend |
| Max OTP retries exceeded | OTP invalidated | User must request a fresh OTP |
| Email never arrives | "Check your email" with resend button | User clicks resend, new OTP generated |
| Email sent to wrong address | User cannot receive the OTP | Contact support to update email and resend |
| Weak password | Password strength requirements shown | User chooses a compliant password |
| Passwords do not match | "Passwords don't match" | User retypes both fields |
| Tampered link or token | 400 "Invalid or malformed token" | User requests a fresh invite |
| Token already used (replay attack) | Token consumed, cannot be reused | Security measure — one-time use only |
| Invitation link expired | "Invitation expired" | Admin must re-invite the user |
| Scenario | Behavior | Why |
|---|---|---|
| User already verified | Redirected straight to dashboard | No need to repeat verification |
| User navigates to verify page without a pending OTP | Redirected to signup | No pending invitation to verify |
| User clicks resend repeatedly | Rate limited: 3 attempts per 15 minutes | Prevents email spam |
| User closes browser after OTP but before setting password | Can resume within the expiry window | OTP verification is stored, password step can continue |
ZettaHRM
A modern HRM workspace for employee management, attendance tracking, leave approvals and structured day-to-day HR operations.