diff --git a/app/controllers/user/confirmations_controller.rb b/app/controllers/user/confirmations_controller.rb
new file mode 100644
index 000000000..f4fd337d6
--- /dev/null
+++ b/app/controllers/user/confirmations_controller.rb
@@ -0,0 +1,8 @@
+class User::ConfirmationsController < Devise::ConfirmationsController
+
+protected
+
+  def after_confirmation_path_for(resource_name, resource)
+    new_user_confirmation_path(resource)
+  end
+end
diff --git a/app/controllers/auth/passwords_controller.rb b/app/controllers/user/passwords_controller.rb
similarity index 89%
rename from app/controllers/auth/passwords_controller.rb
rename to app/controllers/user/passwords_controller.rb
index 6c05debb5..fb4e2f6a1 100644
--- a/app/controllers/auth/passwords_controller.rb
+++ b/app/controllers/user/passwords_controller.rb
@@ -1,4 +1,4 @@
-class Auth::PasswordsController < Devise::PasswordsController
+class User::PasswordsController < Devise::PasswordsController
   include Helpers::Email
 
   def reset_confirmation
@@ -11,7 +11,7 @@ class Auth::PasswordsController < Devise::PasswordsController
       resource.errors.add :email, "Enter an email address in the correct format, like name@example.com"
       render "devise/passwords/new", status: :unprocessable_entity
     else
-      render "devise/confirmations/reset"
+      render "devise/passwords/reset_confirmation"
     end
   end
 
diff --git a/app/controllers/auth/sessions_controller.rb b/app/controllers/user/sessions_controller.rb
similarity index 92%
rename from app/controllers/auth/sessions_controller.rb
rename to app/controllers/user/sessions_controller.rb
index 270b89b2e..a542805cd 100644
--- a/app/controllers/auth/sessions_controller.rb
+++ b/app/controllers/user/sessions_controller.rb
@@ -1,4 +1,4 @@
-class Auth::SessionsController < Devise::SessionsController
+class User::SessionsController < Devise::SessionsController
   include Helpers::Email
 
   def create
diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb
index e60f9439f..3482979cc 100644
--- a/app/controllers/users_controller.rb
+++ b/app/controllers/users_controller.rb
@@ -34,7 +34,6 @@ class UsersController < ApplicationController
       render :new, status: :unprocessable_entity
     else
       @user = User.create!(user_params.merge(org_params).merge(password_params))
-      @user.send_reset_password_instructions
       redirect_to users_organisation_path(current_user.organisation)
     end
   end
diff --git a/app/mailers/notify_devise_mailer.rb b/app/mailers/notify_devise_mailer.rb
index 0ade55baa..696041661 100644
--- a/app/mailers/notify_devise_mailer.rb
+++ b/app/mailers/notify_devise_mailer.rb
@@ -5,6 +5,10 @@ class NotifyDeviseMailer < Devise::Mailer
     @notify_client ||= ::Notifications::Client.new(ENV["GOVUK_NOTIFY_API_KEY"])
   end
 
+  def host
+    @host ||= ENV["APP_HOST"]
+  end
+
   def send_email(email, template_id, personalisation)
     notify_client.send_email(
       email_address: email,
@@ -18,7 +22,7 @@ class NotifyDeviseMailer < Devise::Mailer
     personalisation = {
       name: record.name,
       email: record.email,
-      link: "#{ENV['host']}/users/password/edit?reset_password_token=#{token}"
+      link: "https://#{host}/users/password/edit?reset_password_token=#{token}"
     }
     send_email(record.email, template_id, personalisation)
   end
@@ -29,8 +33,9 @@ class NotifyDeviseMailer < Devise::Mailer
       name: record.name,
       email: record.email,
       organisation: record.organisation.name,
-      link: "#{ENV['host']}/users/password/edit?reset_password_token=#{token}"
+      link: "https://#{host}/users/confirmation?confirmation_token=#{token}"
     }
+    send_email(record.email, template_id, personalisation)
   end
 
   def unlock_instructions(record, token, opts = {})
diff --git a/app/models/user.rb b/app/models/user.rb
index 8e18a55db..d8f1458ff 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -2,9 +2,9 @@ class User < ApplicationRecord
   include Constants::User
 
   # Include default devise modules. Others available are:
-  # :confirmable, :lockable, :timeoutable and :omniauthable
+  # :lockable, :timeoutable and :omniauthable
   devise :database_authenticatable, :recoverable, :rememberable, :validatable,
-         :trackable
+         :trackable, :confirmable
 
   belongs_to :organisation
   has_many :owned_case_logs, through: :organisation
diff --git a/app/views/devise/confirmations/new.html.erb b/app/views/devise/confirmations/new.html.erb
index ac0537c68..e84c78adf 100644
--- a/app/views/devise/confirmations/new.html.erb
+++ b/app/views/devise/confirmations/new.html.erb
@@ -1,16 +1,32 @@
-<h2>Resend confirmation instructions</h2>
+<% content_for :title, "Set your password" %>
 
-<%= form_for(resource, as: resource_name, url: confirmation_path(resource_name), html: { method: :post }) do |f| %>
-  <%= render "devise/shared/error_messages", resource: resource %>
+<% content_for :before_content do %>
+  <%= govuk_back_link(
+    text: 'Back',
+    href: :back,
+  ) %>
+<% end %>
 
-  <%= f.govuk_email_field :email,
-    label: { text: "Email address" },
-    autocomplete: "email",
-    spellcheck: "false",
-    value: (resource.pending_reconfirmation? ? resource.unconfirmed_email : resource.email)
-  %>
+<%= form_for(@user, as: :user, html: { method: :patch }) do |f| %>
+  <div class="govuk-grid-row">
+    <div class="govuk-grid-column-two-thirds">
+      <%= f.govuk_error_summary(presenter: ErrorSummaryFullMessagesPresenter) %>
 
-  <%= f.govuk_submit "Resend confirmation instructions" %>
-<% end %>
+      <h1 class="govuk-heading-l">
+        <%= content_for(:title) %>
+      </h1>
+
+      <%= f.govuk_password_field :password,
+        label: { text: "New password" },
+        hint: @minimum_password_length ? { text: "Your password must be at least #{@minimum_password_length} characters and hard to guess." } : nil,
+        autocomplete: "new-password"
+      %>
 
-<%= render "devise/shared/links" %>
+      <%= f.govuk_password_field :password_confirmation,
+        label: { text: "Confirm new password" }
+      %>
+
+      <%= f.govuk_submit "Update" %>
+    </div>
+  </div>
+<% end %>
diff --git a/app/views/devise/mailer/_password_change_forgotten.html.erb b/app/views/devise/mailer/_password_change_forgotten.html.erb
deleted file mode 100644
index 894cbda1d..000000000
--- a/app/views/devise/mailer/_password_change_forgotten.html.erb
+++ /dev/null
@@ -1,8 +0,0 @@
-<p>Hello <%= @resource.email %>!</p>
-
-<p>Someone has requested a link to change your password. You can do this through the link below.</p>
-
-<p><%= govuk_link_to 'Change my password', edit_password_url(@resource, reset_password_token: @token) %></p>
-
-<p>If you didn't request this, please ignore this email.</p>
-<p>Your password won't change until you access the link above and create a new one.</p>
diff --git a/app/views/devise/mailer/_password_change_initial.html.erb b/app/views/devise/mailer/_password_change_initial.html.erb
deleted file mode 100644
index e4437a639..000000000
--- a/app/views/devise/mailer/_password_change_initial.html.erb
+++ /dev/null
@@ -1,6 +0,0 @@
-<p>Hello <%= @resource.name %>!</p>
-
-<p>An account has been created for you to submit CORE data on behalf of <%= @resource.organisation.name %>.</p>
-
-<p>Your username is <%= @resource.email %>, use the link below to set your password.
-<p><%= govuk_link_to 'Change my password', edit_password_url(@resource, reset_password_token: @token) %></p>
diff --git a/app/views/devise/mailer/confirmation_instructions.html.erb b/app/views/devise/mailer/confirmation_instructions.html.erb
deleted file mode 100644
index fac57c4a2..000000000
--- a/app/views/devise/mailer/confirmation_instructions.html.erb
+++ /dev/null
@@ -1,5 +0,0 @@
-<p>Welcome <%= @email %>!</p>
-
-<p>You can confirm your account email through the link below:</p>
-
-<p><%= govuk_link_to 'Confirm my account', confirmation_url(@resource, confirmation_token: @token) %></p>
diff --git a/app/views/devise/mailer/reset_password_instructions.html.erb b/app/views/devise/mailer/reset_password_instructions.html.erb
deleted file mode 100644
index dd4412b35..000000000
--- a/app/views/devise/mailer/reset_password_instructions.html.erb
+++ /dev/null
@@ -1,5 +0,0 @@
-<% if @resource.last_sign_in_at.nil? %>
-  <%= render partial: "password_change_initial" %>
-<% else %>
-  <%= render partial: "password_change_forgotten" %>
-<% end %>
diff --git a/app/views/devise/confirmations/reset.html.erb b/app/views/devise/passwords/reset_confirmation.html.erb
similarity index 100%
rename from app/views/devise/confirmations/reset.html.erb
rename to app/views/devise/passwords/reset_confirmation.html.erb
diff --git a/app/views/devise/shared/_links.html.erb b/app/views/devise/shared/_links.html.erb
index f66521541..a6e4ee369 100644
--- a/app/views/devise/shared/_links.html.erb
+++ b/app/views/devise/shared/_links.html.erb
@@ -10,10 +10,6 @@
   <p class="govuk-body"> You can <%= govuk_link_to "reset your password", new_password_path(resource_name) %> if you’ve forgotten it.<p><br />
 <% end %>
 
-<%- if devise_mapping.confirmable? && controller_name != 'confirmations' %>
-  <%= govuk_link_to "Didn’t receive confirmation instructions?", new_confirmation_path(resource_name) %><br />
-<% end %>
-
 <%- if devise_mapping.lockable? && resource_class.unlock_strategy_enabled?(:email) && controller_name != 'unlocks' %>
   <%= govuk_link_to "Didn’t receive unlock instructions?", new_unlock_path(resource_name) %><br />
 <% end %>
diff --git a/config/routes.rb b/config/routes.rb
index 8f7a1db47..5e5c596f7 100644
--- a/config/routes.rb
+++ b/config/routes.rb
@@ -1,14 +1,11 @@
 Rails.application.routes.draw do
   devise_for :admin_users, ActiveAdmin::Devise.config
   devise_for :users, controllers: {
-    passwords: "auth/passwords",
-    sessions: "auth/sessions",
+    passwords: "user/passwords",
+    sessions: "user/sessions",
+    confirmations: "user/confirmations"
   }, path_names: { sign_in: "sign-in", sign_out: "sign-out" }
 
-  devise_scope :user do
-    get "confirmations/reset", to: "auth/passwords#reset_confirmation"
-  end
-
   # For details on the DSL available within this file, see https://guides.rubyonrails.org/routing.html
   ActiveAdmin.routes(self)
 
diff --git a/db/migrate/20220121153444_users_confirmable.rb b/db/migrate/20220121153444_users_confirmable.rb
new file mode 100644
index 000000000..22cfe7991
--- /dev/null
+++ b/db/migrate/20220121153444_users_confirmable.rb
@@ -0,0 +1,11 @@
+class UsersConfirmable < ActiveRecord::Migration[7.0]
+  def change
+    change_table :users, bulk: true do |t|
+      ## Confirmable
+      t.string   :confirmation_token
+      t.datetime :confirmed_at
+      t.datetime :confirmation_sent_at
+      t.string   :unconfirmed_email # Only if using reconfirmable
+    end
+  end
+end
diff --git a/db/schema.rb b/db/schema.rb
index 766b1cf55..405f3ea5a 100644
--- a/db/schema.rb
+++ b/db/schema.rb
@@ -10,7 +10,7 @@
 #
 # It's strongly recommended that you check this file into your version control system.
 
-ActiveRecord::Schema.define(version: 2022_01_14_105351) do
+ActiveRecord::Schema.define(version: 2022_01_21_153444) do
 
   # These are extensions that must be enabled in order to support this database
   enable_extension "plpgsql"
@@ -236,6 +236,10 @@ ActiveRecord::Schema.define(version: 2022_01_14_105351) do
     t.string "current_sign_in_ip"
     t.string "last_sign_in_ip"
     t.integer "role"
+    t.string "confirmation_token"
+    t.datetime "confirmed_at"
+    t.datetime "confirmation_sent_at"
+    t.string "unconfirmed_email"
     t.index ["email"], name: "index_users_on_email", unique: true
     t.index ["organisation_id"], name: "index_users_on_organisation_id"
     t.index ["reset_password_token"], name: "index_users_on_reset_password_token", unique: true