I am building a small application for better understanding security from the ground up and have a question about authentication flow (I believe this would be 2FA):

1. User provides information required to register with application.
2. Form validation prompts user for correct information.
3. Data hits the endpoint and is filtered as to prevent any malicious data injection to our database prior to the data ever reaching our database calls.
4. Model level validation happens to further prevent any irregularities/malicious data entry.
5. User is registered in the system.
6. Email/Text dispatched to user with activation link &/or security code.
7. Upon use of activation link or security code within expiration time user's account is persisted to the database, or in the case of enabling 2FA login the user can log back in as an authenticated user.

My question is about systems that dispatch say an email or text message to authenticate the potential user really is a user and how this is handled from the standpoint of a first-time user or someone who is registering with the application.

In systems like this is the potential user's data already saved to the database before the email is dispatched or is it being held as a promise awaiting the response to the email/text and then persisted to our database?

This example is more so 2FA after a user has become registered, but for instance with Zeit.co if I want to login to the now-cli I will be asked for my email and an email is dispatched to the registered account with a randomly generated key. I am shown the key in a prompt upon the dispatch of the email and am prompted to double check the keys match from the prompt to the email before authenticating. Example views below (api token has been revoked already):

Email has been dispatched with the following key for me to verify is a match before authenticating.

Email received and security code matches.

View on page updates and redirects.