Is it possible to log an user with only an email the very first time with passwordless ?
Then the other times if an user try to log with this email a code send by email will be ask. But not the first time.
Can we do that with Auth0 ? Is it secure ?
This is not supported, and not recommended. Without proper authentication, you cannot determine whether the user is using his/her actual email address - malicious users can “sign up” multiple times using other people’s email addresses.
Our recommendation would be to use the full passwordless connection, where the user needs to receive a code/magic link to authenticate.
Thanks Prashant. I understand but actually a malicious user can also signup multiple time with email and password if we don’t ask for an email validation right ?
For this case, we have the Force Email Verification rule: Verify Emails using Auth0