Can OTPs be re-created and forced to expire when using passwordless auth via SMS

Hi there,

I would like to implement a passwordless SMS flow. I’m still very much in the beginning of getting my head around passwordless and have some preliminary questions:

  1. When I call the POST passwordless/start endpoint the user is registered and receives a OTP with set expiry, The user can now login into our app. If the user changes the device the want to use the app from how can we issue a new token for them?

  2. In case the user has by mistake entered a wrong phone number for registration, a stranger might receive the OTP and could be able to log into our app. Is there a way to force an OTP to expire and revoke access?

Thanks a lot!