diff --git a/Gemfile b/Gemfile
index 59b5dcf62a0..f42f0cad5b4 100644
--- a/Gemfile
+++ b/Gemfile
@@ -45,9 +45,9 @@ gem 'stripe'
 # which is needed for Pin Payments (and possibly others).
 gem 'activemerchant', '~> 1.78.0'
 
-gem 'devise', '~> 3.5.10' # v4.0.0 needs rails 4.1
+gem 'devise'
 gem 'devise-encryptable'
-gem 'devise-token_authenticatable', '~> 0.4.10' # v0.5.0 needs devise v4
+gem 'devise-token_authenticatable'
 gem 'jwt', '~> 2.2'
 gem 'oauth2', '~> 1.4.4' # Used for Stripe Connect
 
@@ -146,6 +146,7 @@ end
 group :test do
   gem 'simplecov', require: false
   gem 'test-prof'
+  gem 'test_after_commit' # needed to test Devise callbacks
   gem 'webmock'
   # See spec/spec_helper.rb for instructions
   # gem 'perftools.rb'
diff --git a/Gemfile.lock b/Gemfile.lock
index ff721252e81..e94bbd082f8 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -205,17 +205,16 @@ GEM
       delayed_job (> 2.0.3)
       rack-protection (>= 1.5.5)
       sinatra (>= 1.4.4)
-    devise (3.5.10)
+    devise (4.7.3)
       bcrypt (~> 3.0)
       orm_adapter (~> 0.1)
-      railties (>= 3.2.6, < 5)
+      railties (>= 4.1.0)
       responders
-      thread_safe (~> 0.1)
       warden (~> 1.2.3)
     devise-encryptable (0.2.0)
       devise (>= 2.1.0)
-    devise-token_authenticatable (0.4.10)
-      devise (>= 3.5.2, < 4.0.0)
+    devise-token_authenticatable (1.1.0)
+      devise (>= 4.0.0, < 5.0.0)
     diff-lcs (1.4.4)
     docile (1.3.2)
     domain_name (0.5.20190701)
@@ -443,7 +442,7 @@ GEM
     letter_opener (1.7.0)
       launchy (~> 2.2)
     libv8 (7.3.492.27.1)
-    loofah (2.7.0)
+    loofah (2.8.0)
       crass (~> 1.0.2)
       nokogiri (>= 1.5.9)
     mail (2.7.1)
@@ -680,6 +679,8 @@ GEM
     test-prof (0.7.5)
     test-unit (3.3.6)
       power_assert
+    test_after_commit (1.2.2)
+      activerecord (>= 3.2, < 5.0)
     thor (0.20.3)
     thread_safe (0.3.6)
     tilt (1.4.1)
@@ -758,9 +759,9 @@ DEPENDENCIES
   debugger-linecache
   delayed_job_active_record
   delayed_job_web
-  devise (~> 3.5.10)
+  devise
   devise-encryptable
-  devise-token_authenticatable (~> 0.4.10)
+  devise-token_authenticatable
   dfc_provider!
   eventmachine (>= 1.2.3)
   factory_bot_rails (= 4.10.0)
@@ -829,6 +830,7 @@ DEPENDENCIES
   stripe
   test-prof
   test-unit (~> 3.3)
+  test_after_commit
   timecop
   uglifier (>= 1.0.3)
   unicorn
diff --git a/app/models/spree/user.rb b/app/models/spree/user.rb
index c07e3559cd8..089175595bd 100644
--- a/app/models/spree/user.rb
+++ b/app/models/spree/user.rb
@@ -1,7 +1,8 @@
 module Spree
   class User < ActiveRecord::Base
     devise :database_authenticatable, :token_authenticatable, :registerable, :recoverable,
-           :rememberable, :trackable, :validatable, :encryptable, encryptor: 'authlogic_sha512'
+           :rememberable, :trackable, :validatable,
+           :encryptable, :confirmable, encryptor: 'authlogic_sha512', reconfirmable: true
 
     has_many :orders
     belongs_to :ship_address, foreign_key: 'ship_address_id', class_name: 'Spree::Address'
@@ -39,9 +40,6 @@ class User < ActiveRecord::Base
 
     validate :limit_owned_enterprises
 
-    # We use the same options as Spree and add :confirmable
-    devise :confirmable, reconfirmable: true
-
     class DestroyWithOrdersError < StandardError; end
 
     def self.admin_created?