I would like to implement a passwordless SMS flow. I’m still very much in the beginning of getting my head around passwordless and have some preliminary questions:
When I call the POST passwordless/start endpoint the user is registered and receives a OTP with set expiry, The user can now login into our app. If the user changes the device the want to use the app from how can we issue a new token for them?
In case the user has by mistake entered a wrong phone number for registration, a stranger might receive the OTP and could be able to log into our app. Is there a way to force an OTP to expire and revoke access?
Thanks a lot!