Can you add an email address to a passwordless-sms identity?
I need to have an email on the identity so that I can then link it to a password identity.
Is there a way I can also verify this email within the Auth0 infrastructure?
Things I have thought of.
- adding the email provided during a progressive Profile. No way I know of to verify said email.
- Adding the email to the Identity email field. get a 40X error as this property is not available with passswordless-sms
- linking the account based on the email the user who validated the SMS entered. This method is not secure for existing accounts
Thanks for anyhelp you can provide!
Hello @justinboyd !
Account linking would be the right option here.
We would like to know more about Why you think this method is not secure for existing accounts?
Thanks in advance!
I haven’t figured out a secure model because I have no way of verifying the email address from the SMS OTP login.
Here is the flow.
- A user attempts a login via SMS OTP (But they are actually a new user, with an existing Email account)
- we detect the new signup and do a progressive profile, to collect the email address and a few other details such as name etc.
- saving the email address on user_metadata is possible but not homogenous with the rest of the system, nor is there a mechanism to validate that email address. So we create a password account and link the sms user to that account. (which sends a verify email). However this use case the email already exists in the system
- We need to verify that the SMS user is the owner of the email otherwise a user could gain access to an existing account if we linked the user email based on what they entered, without verifying a password or a password reset option.
That 4th step is the issue, We do not have a model to verify a second user within the authentication flow or to trigger a verify email.
Hello, @justinboyd !
It seems like this might be what you are looking for.
In this case, you would authenticate with SMS, would be redirected to your application, and within your application you would select to link your account with another existing provider (i.e email)
I hope this helps to your case.
We have created a FAQ related to this topic. Please check it out: How to Implement Client-Side User Initiated Account Linking