Thanks for that, @sgmeyer!
The mfa flow looks good but I’m not sure it fits what I need and I don’t think universal login will work either. My app allows sign up by email (passwordless only) and once authenticated, users have the ability to add a mobile number which can be subsequently used to login with - I don’t allow sms sign ups. For that I need to be able to send and verify a one time code sent via SMS after which the secondary user (with SMS connection type) is linked to the primary account. I had previously implemented this by creating an auth0 user with with phone_verified set to false which triggers an sms to be sent. Following that I could verify the code via /oauth/ro and then link. It’s the 2nd part that’s broken i.e. no way to verify the code that is sent when the sms user is created.
I think a better fit is to switch to twilio/authy for sms verification. This means a slight change to the workflow that delays the creation of the sms user in auth0 until after code verification. This is probably an improvement albeit one I hadn’t planned on implementing.
Cheers,
Craig