Feasibility of custom passwordless phone-number-based flow

We are an enterprise customer of Auth0 and want to use embedded passwordless (phone-number-based) login, with SMS, for use in our native mobile apps.

As part of our current mobile application flow, the user receives an SMS message outside of Auth0, with a deep link that navigates them into the native app. The deep link contains metadata, including their phone number. This would make it easy for us to invoke /passwordless/start, to initiate the passwordless flow with the phone number, without the user having to do anything.

We understand the 2nd step in the passwordless flow is to prompt the user for a one-time-use code, and call the /oauth/token endpoint using that generated code to get auth tokens.

Ideally, we would like to avoid sending the user a 2nd SMS message, and not require the user to enter the one-time-use code to obtain a JWT.

Is it possible to customize the passwordless flow, so the user (as described in the scenario above) isn’t required to enter the one-time-use code to authenticate? Again, in this scenario, the user already arrived at the app having followed a deep link provide by us, so we know concretely that they have control of the device with the phone number associated with their Auth0 account.

What if they share that deep link with other people?

In your scenario, if you eliminate the 2nd SMS message, wouldn’t that enable any person with access to that deep link to potentially impersonate the original user?

@talal - you bring up a good point, and I agree this is a valid concern.

After discussing with our product team, we do not believe this is something we need to worry about and is more of an edge case scenario.

1 Like